- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Tue, 29 May 2007 09:41:05 +0300
On May 28, 2007, at 17:28, Henri Sivonen wrote: > In addition, for security reasons, it is important that documents > are decoded the same way by browsers and by gatekeeper tools. It has been pointed out to me in private email that firewall-style gatekeepers are ineffective against attacks made in HTTPS. Also, it has been pointed out to me that a tool that forwards stuff to a browser could add an explicit character encoding label on the HTTP level to make the browser agree. The case I had in mind was a server that allows only "safe" content to be uploaded and serves out the original bytes without reserializing. (For such tools, reserializing is always the safe way to go, but it is relatively rare in practice.) I don't know if there's a real security concern here. On the face of it, it seems similar to the non-shortest-form UTF-8 case. But the ability of a security inspector to add an explicit label moots the issue pretty much. -- Henri Sivonen hsivonen at iki.fi http://hsivonen.iki.fi/
Received on Monday, 28 May 2007 23:41:05 UTC