Re: mime-web-info 6.1 feedback

Larry,

I haven't had time to read this revision yet.  Do you feel there's enough 
new that we should spend some time with TAG members at TPAC Monday morning 
to work through the changes?  Since we just did a lot of work in Mountain 
View, the agenda for Monday at TPAC is more open than usual.  Thank you.

Noah

On 10/26/2010 2:44 AM, Larry Masinter wrote:
> Up against the deadline for submitting new versions, I posted
>
> http://tools.ietf.org/html/draft-masinter-mime-web-info-01
>
> without carefully addressing your comment on the “applications that use
> this type” in what had been section 6.1 (in fact, the text in -01 is
> unfortunately incoherent.)
>
> I was thinking about this, and wonder if the issue is really around the
> security considerations for sniffing and privilege escalation…
>
> Content that allows hyperlinks to embedded content
>
> -- which is (or is not) commonly automatically retrieved to display
>
> E.g., html with embedded IMG tags
>
> Content that contains scripting:
>
> where script content can access the internet
>
> -- with or without sandboxing
>
> where script content can access the “local file system”
>
> Content that is not intended to be scriptable
>
> Buggy software can turn a JPEG into scriptable content which accesses the
> local file system, but it’s “buggy”?
>
> Turning text/plain into malicious content might involve attacks on the UTF8
> decoders?
>
> Note that some fonts are scriptable….
>
> Larry
>
> --
>
> http://larry.masinter.net
>

Received on Wednesday, 27 October 2010 14:44:45 UTC