[whatwg] Establishing the character encoding and determinism

On May 28, 2007, at 17:28, Henri Sivonen wrote:

> In addition, for security reasons, it is important that documents  
> are decoded the same way by browsers and by gatekeeper tools.

It has been pointed out to me in private email that firewall-style  
gatekeepers are ineffective against attacks made in HTTPS. Also, it  
has been pointed out to me that a tool that forwards stuff to a  
browser could add an explicit character encoding label on the HTTP  
level to make the browser agree.

The case I had in mind was a server that allows only "safe" content  
to be uploaded and serves out the original bytes without  
reserializing. (For such tools, reserializing is always the safe way  
to go, but it is relatively rare in practice.)

I don't know if there's a real security concern here. On the face of  
it, it seems similar to the non-shortest-form UTF-8 case. But the  
ability of a security inspector to add an explicit label moots the  
issue pretty much.

-- 
Henri Sivonen
hsivonen at iki.fi
http://hsivonen.iki.fi/

Received on Monday, 28 May 2007 23:41:05 UTC