- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 10 Jun 2010 09:52:57 +1000
- To: Henry S. Thompson <ht@inf.ed.ac.uk>
- Cc: ietf-http-wg@w3.org, public-html@w3.org, www-tag@w3.org
Henry, My only concern with [2] is this set of requirements > Such recipients SHOULD NOT override the specified type it there are > known security risks and they SHOULD provide for users to disable such > heuristic Content-Type detection. as discussed before. HTTPbis can introduce new requirements that break existing implementations only where there are overriding security and/or interoperability concerns. While it could be argued that this holds true here, the first requirement is quite vague, and the second will AFAIK make every existing implementation non-conformant (with the possibility that they will remain so indefinitely). Would the TAG be amenable to either dropping this sentence from the proposal, or modifying the text at [3] to address your concerns? Regards, On 09/06/2010, at 10:47 PM, Henry S. Thompson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Further to the TAG's suggestion in [1] regarding 'sniffing', and > replies from Yves Lafon [2] and Mark Nottingham [3], the TAG has asked > me to convey our thanks for your willingness to reopen this issue. > With some minor adjustments, we are happy that the text proposed at [2] > addresses most of our concerns. > > We suggest the following two minor changes: > > does not correctly identify the content sent > > --> > > does not reflect the intended interpretation of the content sent > > and > > Such recipients SHOULD NOT > > --> > > Recipients SHOULD NOT > > We would however prefer that something about this issue also remain in > section 3.1.2. Perhaps keep > > If the Content-Type header field is present, a recipient which > interprets the underlying data in a way inconsistent with the > specified media type risks drawing incorrect conclusions. > > in 3.1.2, adding something along the lines of "See [7.3] for a related > security issue.", but we are happy to leave this to your editorial > discretion. > > We are less happy with the proposed addition suggested by Mark in [3], > on the grounds that it a) implies that documents have media types in > some intrinsic way, which we think is at best misleading, and that b) > the straw men it sets up will in fact be counterproductive. > > ht, on behalf of the TAG > > [1] http://lists.w3.org/Archives/Public/public-html/2010Mar/0493.html > [2] http://lists.w3.org/Archives/Public/public-html/2010Mar/0659.html > [3] http://lists.w3.org/Archives/Public/public-html/2010May/0330.html > [This message pertains to TAG ACTION-370] > - -- > Henry S. Thompson, School of Informatics, University of Edinburgh > 10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440 > Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk > URL: http://www.ltg.ed.ac.uk/~ht/ > [mail from me _always_ has a .sig like this -- mail without it is forged spam] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFMD414kjnJixAXWBoRAr4EAJ9W4zFN1SywFjfMG8QQtXAiPPmaIwCfbAw2 > rZ/VkbMn24RAI2S6OoMUDWU= > =dhkn > -----END PGP SIGNATURE----- -- Mark Nottingham http://www.mnot.net/
Received on Wednesday, 9 June 2010 23:52:49 UTC