- From: David Morris <dwm@xpasc.com>
- Date: Wed, 24 Mar 2010 17:37:58 -0700 (PDT)
- To: "'HTTP Working Group'" <ietf-http-wg@w3.org>
- cc: public-html@w3.org, www-tag@w3.org
On Wed, 24 Mar 2010, Yves Lafon wrote:
> 7.3 Media Type Issue
>
> If the Content-Type header field is present, a recipient which
> interprets the underlying data in a way inconsistent with the
> specified media type risks drawing incorrect conclusions.
>
> In practice, however, currently-deployed servers sometime provide a
> Content-Type header which does not correctly identify the content
> sent, with the result that some classes of recipients have adopted a
> policy of examining the content and overriding the specified type.
>
> Deploying any heuristic for detecting mistaken Content-Types risks
> overriding user intentions and misrepresenting data. It may also
> significantly increase the security exposure ('privilege escalation');
> Such recipients SHOULD NOT override the specified type it there are
wrong ^^^^ word
> known security risks and they SHOULD provide for users to disable such
> heuristic Content-Type detection.
Nice artistic avoidance of the sniffword... I have no objection providing
'it' doesn't become something I haven't tried in context.
Dave Morris
Received on Thursday, 25 March 2010 00:38:35 UTC