IETF Logo Mail Archive

Re: comments on draft-abarth-mime-sniff-03

Adam Barth <ietf@adambarth.com> Tue, 26 January 2010 20:47 UTC

Return-Path: <adam@adambarth.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66FAA28C0F2 for <apps-discuss@core3.amsl.com>; Tue, 26 Jan 2010 12:47:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.75
X-Spam-Level:
X-Spam-Status: No, score=-0.75 tagged_above=-999 required=5 tests=[AWL=-1.228, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, FRT_ADOBE2=2.455]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wlupFUAez1DP for <apps-discuss@core3.amsl.com>; Tue, 26 Jan 2010 12:47:03 -0800 (PST)
Received: from mail-pw0-f50.google.com (mail-pw0-f50.google.com [209.85.160.50]) by core3.amsl.com (Postfix) with ESMTP id AFA733A68C5 for <apps-discuss@ietf.org>; Tue, 26 Jan 2010 12:47:03 -0800 (PST)
Received: by pwi20 with SMTP id 20so3513523pwi.29 for <apps-discuss@ietf.org>; Tue, 26 Jan 2010 12:47:12 -0800 (PST)
MIME-Version: 1.0
Received: by 10.142.7.25 with SMTP id 25mr5784486wfg.141.1264538832508; Tue, 26 Jan 2010 12:47:12 -0800 (PST)
In-Reply-To: <7789133a1001221925sf1f55b8k31953828848f2787@mail.gmail.com>
References: <C68CB012D9182D408CED7B884F441D4D5FDE79@nambxv01a.corp.adobe.com> <7789133a1001201514l47b43b8bw958e42794707dbc9@mail.gmail.com> <C68CB012D9182D408CED7B884F441D4D5FE353@nambxv01a.corp.adobe.com> <7789133a1001221925sf1f55b8k31953828848f2787@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 26 Jan 2010 20:46:52 +0000
Message-ID: <7789133a1001261246p5a0074bdof65a59a62969d148@mail.gmail.com>
Subject: Re: comments on draft-abarth-mime-sniff-03
To: Larry Masinter <masinter@adobe.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2010 20:47:04 -0000

On Sat, Jan 23, 2010 at 3:25 AM, Adam Barth <ietf@adambarth.com> wrote:
> On Fri, Jan 22, 2010 at 5:34 PM, Larry Masinter <masinter@adobe.com> wrote:
>> I suggest including this example in the security considerations section
>> of the document.
>
> Will do.

Actually, I've just included the example inline in the text because
the document doesn't have a separate security considerations section.
In some sense, the entire document is one giant security
considerations section.

>>>> What is the security threat?
>>
>>> The security threat is that if you treat an HTML file extension as
>>> evidence the server wants the response to be treated as text/html you
>>> will introduce XSS vulnerabilities into some large number of sites
>>> running PHP (among others).
>>
>> Yes, I think this belongs in the "security considerations" section
>> of the document.
>
> Will do.

This is explained in the introduction.

Adam

v2.23.0 | Report a Bug | By Email