- From: David Booth <david@dbooth.org>
- Date: Wed, 02 Dec 2009 08:06:32 -0500
- To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
- Cc: www-tag@w3.org
A question: On Wed, 2009-12-02 at 12:23 +0000, Henry S. Thompson wrote: [ . . . ] > I took an action [3] to review the situation, and suggest further action > if necessary. > > I think we should in fact request the HTTPbis editors to reopen their > Ticket #155 [4] with a suggestion that something along the following > lines be added after the above-quoted paragraph in section 3.2.1: > > If the Content-Type header field _is_ present, recipients SHOULD NOT > examine the content and override the specified type if the change > would significantly alter the security exposure ('privilege > escalation'). Why only "if the change would significantly alter the security exposure . . . "? Why not also for other cases, where the user is just trying to get what the server is trying to send? David Booth > > This change is compatible with _Content-Type Processing Model_, a > draft "responsible sniffing" Internet-Draft [5]. > > ht > > [1] http://www.w3.org/2001/tag/2009/09/24-minutes#item03 > [2] http://trac.tools.ietf.org/wg/httpbis/trac/export/663/draft-ietf-httpbis/latest/p3-payload.html#rfc.section.3.2.1 > [3] http://www.w3.org/2001/tag/group/track/actions/309 > [4] http://trac.tools.ietf.org/wg/httpbis/trac/ticket/155 > [5] http://ietfreport.isoc.org/idref/draft-abarth-mime-sniff/ > - -- > Henry S. Thompson, School of Informatics, University of Edinburgh > Half-time member of W3C Team > 10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440 > Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk > URL: http://www.ltg.ed.ac.uk/~ht/ > [mail really from me _always_ has this .sig -- mail without it is forged spam] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFLFlxfkjnJixAXWBoRAqEiAJ96ixasPHacaeuNm3WzKkfsjaH9DACfQQ1a > sPg4wAPVxDp0jlqSkqwpeaQ= > =theI > -----END PGP SIGNATURE----- > > > -- David Booth, Ph.D. Cleveland Clinic (contractor) Opinions expressed herein are those of the author and do not necessarily reflect those of Cleveland Clinic.
Received on Wednesday, 2 December 2009 13:07:09 UTC