- From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
- Date: Thu, 03 Jul 2008 23:41:00 -0500
- To: Justin James <j_james@mindspring.com>
- CC: 'Karl Dubost' <karl@w3.org>, 'Daniel Stenberg' <daniel@haxx.se>, 'HTTP Working Group' <ietf-http-wg@w3.org>, public-html@w3.org
Justin James wrote: > > It is quite clear that you are ignoring the point here. The point is *not* what the spec says. As you point out, there is a serious disconnect between reality and the spec. What you are essentially saying is, "if everyone just followed the spec, everything would be fine." Which is true. But it is also not what happened. Which is the point. No, I'm observing that a very small percentage of sites would be instantly broken by such a draconian "course correction" by browser authors. And a much larger number of vulnerable sites would be "resolved" by such a correction (in respect to UTF-7 detection particularly, but many other forms of sniffing in general). Rather than persisting FUD, I'd challenge you to point out only one significant site, and a relatively minor site, affected by such a change. Folks who insist that sniffing is "necessary" really aught to back up the assertion with hard data, or close the significant vulnerabilities that persist in the ecosystem. As mentioned in a previous note, sniffing served a noble purpose for a safer environment, one that simply doesn't exist.
Received on Friday, 4 July 2008 04:41:52 UTC