- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Fri, 25 Jan 2008 12:48:33 -0800
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: "public-html@w3.org" <public-html@w3.org>
On Jan 25, 2008, at 8:45 AM, Boris Zbarsky wrote: > Oh, one more note. Gecko's sniffing behavior actually had to be > changed recently. Unfortunately, the more recent Apache installs > changed from ISO-8859-1 to UTF-8 as the default encoding, without > changing the default content type behavior. No, they haven't. Where are you getting this stuff? Try a clean installation of any Apache version with the distributed configuration files (Apache will not wipe out old configurations on install). The only thing we define utf-8 for is directory listings of file names, when known to be utf-8, and our on-line manuals (all utf-8). The DefaultType still exists on trunk, though it can be set to DefaultType none Also, don't forget that the only reason Apache has the AddDefaultCharset feature (off by default) is because browser sniffing of generated content containing UTF-7 is a known security hole and adding a charset is the only known workaround short of byte-scanning every message. Every time we try to remove it a bunch of ego-chasers submit XSS reports that we have to work around. If you start sniffing content with a charset, then you had better remove support for the charsets that are only used for XSS attacks. ....Roy
Received on Friday, 25 January 2008 20:48:29 UTC