[Bug 19961] Write security considerations from bugzilla@jessica.w3.org on 2014-12-05 (www-international@w3.org from October to December 2014)

From: <bugzilla@jessica.w3.org>
Date: Fri, 05 Dec 2014 08:09:59 +0000
To: www-international@w3.org
Message-ID: <bug-19961-4285-rU0AwpUPBc@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=19961

--- Comment #5 from Henri Sivonen <hsivonen@hsivonen.fi> ---
"Browsers are strongly encouraged to disable character encoding overrides for
resources using one of the aforementioned problematic encodings."

Please clarify that browsers should both:
 1) Not offer UTF-16 as a manual override.
 2) Ignore manual overrides for resources that are UTF-16 to begin with.

I'm unsure if the above should apply to ISO-2022-JP. I haven't seen a PoC of an
attack either way, and Firefox currently allows override both to and from
ISO-2022-JP.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Friday, 5 December 2014 08:10:01 UTC