W3C home > Mailing lists > Public > www-tag@w3.org > July 2003

Re: 9 July 2003 draft of "Client handling of MIME headers" available

From: Roy T. Fielding <fielding@apache.org>
Date: Wed, 9 Jul 2003 23:03:47 +0200
Cc: "Ian B. Jacobs" <ij@w3.org>, www-tag@w3.org
To: Dan Connolly <connolly@w3.org>
Message-Id: <D51F1408-B250-11D7-921F-000393753936@apache.org>

On Wednesday, July 9, 2003, at 10:17  PM, Dan Connolly wrote:
> On Wed, 2003-07-09 at 15:03, Roy T. Fielding wrote:
> [... several points I don't take issue with...]
>>     However, a receiving application can, with very high reliability,
>>     determine the character encoding of an XML document by reading it
>> Sorry, that is completely false.
> No need to apologize; just present some evidence.
> I'm pretty confident it is true "with very high
> reliability."
> The design is presented in...
>   F Autodetection of Character Encodings (Non-Normative)
>   http://www.w3.org/TR/REC-xml#sec-guessing
> and implementations are widespread and highly reliable.

No, they are highly consistent.  Reliable would mean that they wouldn't
allow an interpretation of the content that differed from that described
in the media type, since it is the media type that is authoritative.

>>   Folks should read the number of
>> security vulnerabilities caused by such thinking before declaring
>> that it is the case.
> For example? Do they involve XML?

Do a google search on cross-site scripting.

Not yet, unless you count XHTML, but that's only because people don't
use XML for the delivery of Internet content (only for storage).
I don't know if the browser XML parsers are set up yet to evaluate
javascript within attribute values, but they will eventually.

>> BTW, on a related point, I will note that the W3C working groups
>> responsible for all of the exceptions requested on this point have
>> still failed to register their media types with IANA.  I just spent
>> an hour digging though the W3C site to pick up some of these types
>> for the Apache configuration file, since I am tired of waiting for
>> the appropriate authors.  People claiming that the registration
>> process is slow should be ashamed of themseleves -- there are dozens
>> of new types since the last update with far less applicability and
>> deployment.  The only organization that seems incapable of
>> registering deployed types is the W3C.  Whatever the problem is,
>> it sure as heck isn't the IANA process.
> You are way, way out of line, Roy. Don't jump to the conclusion
> that the authors are at fault.
> The IESG is on record as having repeatedly dropped the
> ball on W3C registrations. See
>   http://www.w3.org/2003/06/17-w3c-ietf#mimereg
> and the paper trail going back at least a year on this
>  http://lists.w3.org/Archives/Public/public-ietf-w3c/2002Aug/0000.html

At no point has the IESG ever been responsible for media type 
as is clearly documented in the RFCs that define the process for those
registrations.  All you have to do is follow that process and the RFC
editor will publish the RFC and the result is an IETF-branch media type.
That's all there is to it.  Maybe the problem the W3C is encountering
is because you are talking to the wrong people.

I'll repeat this again: The organization that is having problems
registering media types is the W3C.  Having just updated the mime.types
file for Apache 2.1, I can assure you that IANA does register all
types for which it has received appropriate notice, even if those
types are in the non-vendor branch and the specifications have not
yet been assigned RFC numbers.  As near as I can tell, the reason that
the W3C is having problems is because of the self-defeatist attitude
that it is due to the IETF process, rather than a failure on the
part of specification authors to follow-through on that process.

> I'll thank you to be constructive an present your evidence or
> just keep your comments to yourself.

And I'll thank you and the rest of the W3C when you stop bitching
about how the IETF works and how Web servers are configured, at least
until you get off your duff and do the boring work necessary to make a
standard authoritative.  I am really tired of reading press releases
about W3C accomplishments when none of it gets enabled on the Web
until someone at Apache makes it happen.  Follow through.

Received on Thursday, 10 July 2003 01:02:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:55:59 UTC