Re: [apps-discuss] informal Last Call on draft-reschke-http-status-308-02

[Bjoern Hoehrmann <derhoermi@gmx.net>]

* Julian Reschke wrote:
>> keep Internet Explorer 6 around? It should be possible to make an ex-
>> ample that does not redirect to where you think it would, but I would
>> have to set up a virtual machine for testing and there kinda would be no
>> point if you don't have the right browser to try it.
>
>Could you elaborate about what this has to do with IE6?

Without explicit declarations browsers will auto-detect an encoding and
in case of Internet Explorer 6 that means that some US-ASCII documents
without encoding declarations are treated as UTF-7 encoded documents, so
if you try to redirect to something like /Bj+APY-rn/ IE might end up on
/Björn/ even though "Bj+APY-rn" is "all US-ASCII". That problem was not
specific to Internet Explorer 6, but it's the cheapest target. Avoiding
such misdetection is important for security reasons, so responses with-
out encoding declarations are likely to be or to become security risks.
It's like seeing `"SELECT * FROM table WHERE column = '$user_input';"`
in a PHP tutorial.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/