TAG requests addition to section 3.2.1 of Part 3 from Henry S. Thompson on 2009-12-18 (ietf-http-wg@w3.org from October to December 2009)

From: Henry S. Thompson <ht@inf.ed.ac.uk>
Date: Fri, 18 Dec 2009 19:19:43 +0000
To: ietf-http-wg@w3.org
Message-ID: <f5bskb8ytrk.fsf@hildegard.inf.ed.ac.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

During its telcon of 2009-12-17 [1], the TAG agreed to request that
the following paragraphs be added at the end of section 3.2.1 of Part
3 of HTTP bis [2]:

  If the Content-Type header field _is_ present, a receipient which
  interprets the underlying data in a way inconsistent with the
  specified media type risks drawing incorrect conclusions.

  In practice, however, currently-deployed servers sometime provide a
  Content-Type header which does not correctly identify the content
  sent, with the result that some classes of recipients have adopted a
  policy of examining the content and overriding the specified type.

  Such 'sniffing' SHOULD NOT be done unless there is evidence that the
  specified media type is in error (for example, because it is
  'text/plain' but there are bytes in the data which are not legal for
  the specified or defaulted charset).  In any case recipients SHOULD
  NOT override the specified type if the change would significantly
  increase the security exposure ('privilege escalation').

  Deploying any heuristic for detecting mistaken Content-Types risks
  overriding user intentions and misrepresenting data---accordingly
  recipients SHOULD provide for users to disable sniffing in general
  and/or in particular cases.

Thank you,

ht, by and on behalf of the TAG

[1] http://tools.ietf.org/html/draft-ietf-httpbis-p3-payload-08#section-3.2.1
[2] http://www.w3.org/2001/tag/2009/12/17-minutes.html#item05
- -- 
       Henry S. Thompson, School of Informatics, University of Edinburgh
                         Half-time member of W3C Team
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
[mail really from me _always_ has this .sig -- mail without it is forged spam]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFLK9XPkjnJixAXWBoRAudxAJ9YZg70dC0piSh+34ftR5+X4n/y9wCdEHnw
rWL3bWKkuX4nqIHyKmBQ4wI=
=sZXk
-----END PGP SIGNATURE-----

Received on Friday, 18 December 2009 19:20:12 UTC