Re: Sniffing and HTTP-bis (ACTION-309) from David Booth on 2009-12-02 (www-tag@w3.org from December 2009)

From: David Booth <david@dbooth.org>
Date: Wed, 02 Dec 2009 08:06:32 -0500
To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
Cc: www-tag@w3.org
Message-Id: <1259759192.29282.14921.camel@dbooth-laptop>

A question:

On Wed, 2009-12-02 at 12:23 +0000, Henry S. Thompson wrote:
[ . . . ]
> I took an action [3] to review the situation, and suggest further action
> if necessary.
> 
> I think we should in fact request the HTTPbis editors to reopen their
> Ticket #155 [4] with a suggestion that something along the following
> lines be added after the above-quoted paragraph in section 3.2.1:
> 
>   If the Content-Type header field _is_ present, recipients SHOULD NOT
>   examine the content and override the specified type if the change
>   would significantly alter the security exposure ('privilege
>   escalation').

Why only "if the change would significantly alter the security
exposure . . . "?  Why not also for other cases, where the user is just
trying to get what the server is trying to send?

David Booth

> 
> This change is compatible with _Content-Type Processing Model_, a
> draft "responsible sniffing" Internet-Draft [5].
> 
> ht
>  
> [1] http://www.w3.org/2001/tag/2009/09/24-minutes#item03
> [2] http://trac.tools.ietf.org/wg/httpbis/trac/export/663/draft-ietf-httpbis/latest/p3-payload.html#rfc.section.3.2.1
> [3] http://www.w3.org/2001/tag/group/track/actions/309
> [4] http://trac.tools.ietf.org/wg/httpbis/trac/ticket/155
> [5] http://ietfreport.isoc.org/idref/draft-abarth-mime-sniff/
> - -- 
>        Henry S. Thompson, School of Informatics, University of Edinburgh
>                          Half-time member of W3C Team
>       10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
>                 Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk
>                        URL: http://www.ltg.ed.ac.uk/~ht/
> [mail really from me _always_ has this .sig -- mail without it is forged spam]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> 
> iD8DBQFLFlxfkjnJixAXWBoRAqEiAJ96ixasPHacaeuNm3WzKkfsjaH9DACfQQ1a
> sPg4wAPVxDp0jlqSkqwpeaQ=
> =theI
> -----END PGP SIGNATURE-----
> 
> 
> 
-- 
David Booth, Ph.D.
Cleveland Clinic (contractor)

Opinions expressed herein are those of the author and do not necessarily
reflect those of Cleveland Clinic.

Received on Wednesday, 2 December 2009 13:07:09 UTC