[Bug 7744] Is sniffing required? from bugzilla@wiggum.w3.org on 2010-02-09 (public-html-bugzilla@w3.org from February 2010)

From: <bugzilla@wiggum.w3.org>
Date: Tue, 09 Feb 2010 09:49:27 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Nemil-0004Nx-AI@wiggum.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=7744





--- Comment #19 from Maciej Stachowiak <mjs@apple.com>  2010-02-09 09:49:26 ---
(In reply to comment #16)
> (In reply to comment #15)
> > > After all, we just heard from the editor (see
> > > http://lists.w3.org/Archives/Public/public-html/2010Feb/0164.html) that readers
> > > do not follow hyperlinks, so why treat this different from other cases?
> > 
> > We shouldn't. I'd be more than happy to move this text back into the spec, as
> > it was when I wrote it and before members of the working group asked for it to
> > be put into a separate spec.
> 
> How about leaving it where it is, and just adding the clarification?
> 

draft-abarth-mime-sniff makes sniffing optional, but it would not be accurate
to say following MIMESNIFF is optional. draft-abarth-mime-sniff-04 says:

   WARNING!  Whenever possible, user agents SHOULD NOT employ a content
   sniffing algorithm.  However, if a user agent does employ a content
   sniffing algorithm, the user agent SHOULD use the algorithm in this
   document because using a different content sniffing algorithm than
   servers expect causes security problems.  For example, if a server
   believes that the client will treat a contributed file as an image
   (and thus treat it as benign), but a user agent believes the content
   to be HTML (and thus privileged to execute any scripts contained
   therein), an attacker might be able to steal the user's
   authentication credentials and mount other cross-site scripting
   attacks.

In other words, it recommends that UAs should not sniff, but if they do, they
should use this specific algorithm, not any others. HTML5 does not want that
set of recommendations (either don't sniff, or if you do, use this algorithm)
to be optional, though specifically choosing the sniffing side of that fork is
optional.

I think the only way to convey this accurately would be to duplicate the whole
paragraph I just quoted, and even that might not be enough context without
duplicating the whole MIMESNIFF introduction. I don't think that would be an
improvement.

(PS even though implementors don't always follow references, in this case there
is no way to implement the required behavior at all without reading the
referenced document.)


-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Tuesday, 9 February 2010 09:49:28 UTC