Re: Working Group Last Call: draft-ietf-httpbis-content-disp-02

As far as I can tell, your entire message is beating up on a strawman.
 I haven't proposed any of the things you're shooting down.


On Sat, Oct 2, 2010 at 5:11 PM, Eric J. Bowman <> wrote:
> Adam Barth wrote:
>> Given that browsers are going to interpret nonconformant syntax, I'd
>> rather live in a world in which they all did it the same way.  That
>> world is more predictable, which is better for security, and easier
>> for new entrants to the market because those new entrants don't need
>> to reverse engineer existing implementations.  Fewer barriers to entry
>> means more competition, which means users get a better browser
>> product.
> The position is well-known, but that is not to say the premise is
> agreed to by the majority, or any constituency beyond browser vendors.
> I disagree entirely with the notion that it's somehow better for
> security to change the must-ignore nature of Web architecture to one of
> must-process...
> ...given that this sort of error-prevention-correction approach leads to
> just such a cascading database failure requiring the entire site to be
> taken offline and brought back up in a different configuration, instead
> of simply allowing 500 errors to occur.  That's the only way submitted
> code will ever be corrected without opening a big gaping security/
> stability hole by resorting to error correction.  I don't believe in
> specifying any sort of error correction, because those hidden security/
> stability implications are always lurking and aren't outweighed by the
> need for user convenience.
> If the spec were to define how to parse a string with two filenames,
> it would lead to folks thinking it's conformant to send a string with
> two filenames.  Or to transcode the string to have only one filename.
> The last thing that the resulting confusion needs, is standardization.
> The only thing which requires standardization, is how to do it properly.
>> Insulting an important constituency is unlikely to generate consensus
>> by win that constituency over to your point of view.
> Speaking as a long-time Web Developer, I'm appalled by the dismissive
> and insulting attitude taken by the constituency dictating HTML 5 as
> pertains to the standards that myself and those like me are perfectly
> capable of understanding, by declaring repeatedly that we're a bunch of
> morons who can't understand resource/representation or anything else
> the vendors are hell-bent on changing, as justification for said
> changes ignoring those well-understood standards.
> Which motivates me to participate in this thread, because I don't want
> that vendor-centric approach to pollute HTTPbis, rendering the spec so
> large and unwieldy that only browser vendors could ever hope to
> understand its meaning, in terms of what they've implemented.  A big,
> emphatic -1 to the notion that HTTPbis should follow HTML 5 down the
> road of standardizing error correction behavior for user agents, for
> C-D or anything else.
> You have your rationales like "more secure," etc. but I have never
> bought into the arguments behind them, as they defy my experience, most
> recently confirmed by Facebook the day before yesterday -- error
> correction is an inherent security problem and has no business being
> written into HTTP.
> -Eric

Received on Sunday, 3 October 2010 00:32:43 UTC