- From: David Booth <david@dbooth.org>
- Date: Wed, 02 Dec 2009 13:00:28 -0500
- To: Jonathan Rees <jar@creativecommons.org>
- Cc: "Henry S. Thompson" <ht@inf.ed.ac.uk>, www-tag@w3.org
I was thinking of more mundane cases where the user needs to see the
data according to the content type. I suppose this is most apt to
happen with languages that are layered on other languages, such as when
RDF is layered on XML, which is in turn layered on text. If the server
is trying to show how the XML of an RDF/XML document looks, then the
user will not want the user agent to erroneously guess that it should be
displayed as RDF in spite of the content type indicating it should be
interpreted as XML. This doesn't only affect the user: in order to
prevent this problem the server owner must guess how the user agent
might erroneously guess the content type of message, and thus program
around it. And this business of one side guessing what the other side
will guess seems rather fragile and browser dependent.
But my question was innocent. I wasn't sure whether
non-security-related cases had already been ruled out for some reason.
If there isn't a particular reason to exclude them, I would suggest
adding the word "especially" to the proposed update:
If the Content-Type header field _is_ present, recipients SHOULD NOT
examine the content and override the specified type, *especially* if the
change would significantly alter the security exposure ('privilege
escalation').
David Booth
On Wed, 2009-12-02 at 10:10 -0500, Jonathan Rees wrote:
> I think I'm with you, David, but concrete examples would help...
> something like the following maybe? (at
> http://mumble.net/~jar/message, haven't tried it with IE)
>
> <html not="true">
> <!-- The following is completely ludicrous, and I never would have
> said it: -->
> Jonathan's house is painted an ugly color.
>
> If interpreted as having media type text/plain, it means one thing,
> while if interpreted as text/html, it means the opposite.
>
> This could be countered by saying that miscommunications like this
> *are* security issues (consider the dubious case where the html
> comment contains private information, and the document was interpreted
> as plain when html was wanted); but it could also be countered by
> saying that it's too artificial to be convincing.
>
> Jonathan
>
> On Wed, Dec 2, 2009 at 8:06 AM, David Booth <david@dbooth.org> wrote:
> > A question:
> >
> > On Wed, 2009-12-02 at 12:23 +0000, Henry S. Thompson wrote:
> > [ . . . ]
> >> I took an action [3] to review the situation, and suggest further action
> >> if necessary.
> >>
> >> I think we should in fact request the HTTPbis editors to reopen their
> >> Ticket #155 [4] with a suggestion that something along the following
> >> lines be added after the above-quoted paragraph in section 3.2.1:
> >>
> >> If the Content-Type header field _is_ present, recipients SHOULD NOT
> >> examine the content and override the specified type if the change
> >> would significantly alter the security exposure ('privilege
> >> escalation').
> >
> > Why only "if the change would significantly alter the security
> > exposure . . . "? Why not also for other cases, where the user is just
> > trying to get what the server is trying to send?
> >
> > David Booth
> >
> >>
> >> This change is compatible with _Content-Type Processing Model_, a
> >> draft "responsible sniffing" Internet-Draft [5].
> >>
> >> ht
> >>
> >> [1] http://www.w3.org/2001/tag/2009/09/24-minutes#item03
> >> [2] http://trac.tools.ietf.org/wg/httpbis/trac/export/663/draft-ietf-httpbis/latest/p3-payload.html#rfc.section.3.2.1
> >> [3] http://www.w3.org/2001/tag/group/track/actions/309
> >> [4] http://trac.tools.ietf.org/wg/httpbis/trac/ticket/155
> >> [5] http://ietfreport.isoc.org/idref/draft-abarth-mime-sniff/
> >> - --
> >> Henry S. Thompson, School of Informatics, University of Edinburgh
> >> Half-time member of W3C Team
> >> 10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
> >> Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk
> >> URL: http://www.ltg.ed.ac.uk/~ht/
> >> [mail really from me _always_ has this .sig -- mail without it is forged spam]
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.2.6 (GNU/Linux)
> >>
> >> iD8DBQFLFlxfkjnJixAXWBoRAqEiAJ96ixasPHacaeuNm3WzKkfsjaH9DACfQQ1a
> >> sPg4wAPVxDp0jlqSkqwpeaQ=
> >> =theI
> >> -----END PGP SIGNATURE-----
> >>
> >>
> >>
> > --
> > David Booth, Ph.D.
> > Cleveland Clinic (contractor)
> >
> > Opinions expressed herein are those of the author and do not necessarily
> > reflect those of Cleveland Clinic.
> >
> >
> >
>
>
--
David Booth, Ph.D.
Cleveland Clinic (contractor)
Opinions expressed herein are those of the author and do not necessarily
reflect those of Cleveland Clinic.
Received on Wednesday, 2 December 2009 18:00:57 UTC