- From: <bugzilla@jessica.w3.org>
- Date: Mon, 14 Apr 2014 10:30:21 +0000
- To: www-international@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25339
Bug ID: 25339
Summary: Make hz-gb-2312 a label of the replacement encoding
Product: WHATWG
Version: unspecified
Hardware: All
URL: http://telemetry.mozilla.org/#release/28/DECODER_INSTA
NTIATED_HZ/saved_session/Firefox
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Encoding
Assignee: annevk@annevk.nl
Reporter: hsivonen@hsivonen.fi
QA Contact: sideshowbarker+encodingspec@gmail.com
CC: jshin@chromium.org, mike@w3.org,
www-international@w3.org
HZ is an exceptionally dangerous encoding, because its escape sequence consists
of printable ASCII characters. See
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20886#c3 .
In Firefox 28, I constrained the inheritance of HZ, removed it from the UI so
that it can't be chosen manually and added telemetry for counting sessions in
which the HZ decoder has been instantiated.
Sessions in which the HZ decoder has been instantiated are very rare: such a
session occurs less often than once in a million sessions.
http://telemetry.mozilla.org/#release/28/DECODER_INSTANTIATED_HZ/saved_session/Firefox
This suggests that the utility of HZ is so small that it should be regarded
mainly as an XSS attack vector and be mapped the replacement encoding.
I'd be interested in hearing the perspective of developers of other browsers,
Chrome especially, since Chrome has resisted the addition of useless or merely
marginally useful encodings.
--
You are receiving this mail because:
You are on the CC list for the bug.
Received on Monday, 14 April 2014 10:30:28 UTC