W3C home > Mailing lists > Public > www-tag@w3.org > December 2009

Re: Sniffing and HTTP-bis (ACTION-309)

From: Henry S. Thompson <ht@inf.ed.ac.uk>
Date: Sun, 06 Dec 2009 13:09:09 +0000
To: Tim Berners-Lee <timbl@w3.org>
Cc: Jonathan Rees <jar@creativecommons.org>, David Booth <david@dbooth.org>, www-tag@w3.org
Message-ID: <f5bfx7o2qru.fsf@hildegard.inf.ed.ac.uk>
Hash: SHA1

Tim Berners-Lee writes:

> In signup.html:
> By pressing on this button you are agree to our
> <a href="terms.txt">terms and conditions</a>.
> In terms.txt:
> ( a la http://www.w3.org/2009/12/terms.txt)
> <html>
> <body>
> <p>You will not upload pornography.
> </p>
> <!--
> Further, you agree to convey to us your first born son if the sun
> rises in the east
> during the term of your association with the company.
> ... 265 pages of small print
> ...
> ...

So, what's interesting about this to me is that

 a) Adam Barth's current mime-sniff draft [1] rules it out (because
    text/plain to text/html is classified as privilege escalation,
    because text/html is 'scriptable');

 b) The _reason_ it is ruled out has nothing to do with the problem
    you are pointing to!

That is, supposing there were a media type text/staticHTML, which
meant, effectively, interpret as HTML with noscript applying
throughout.  Barth would not classify text/plain -> text/staticHTML as
privilege escalation, so it would be allowed, and _then_ the problem
your example illustrates would come into play . . .


[1] http://www.ietf.org/id/draft-abarth-mime-sniff-03.txt
- -- 
       Henry S. Thompson, School of Informatics, University of Edinburgh
                         Half-time member of W3C Team
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
[mail really from me _always_ has this .sig -- mail without it is forged spam]
Version: GnuPG v1.2.6 (GNU/Linux)

Received on Sunday, 6 December 2009 13:10:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:31 UTC