Re: [apps-discuss] informal Last Call on draft-reschke-http-status-308-02

Bjoern Hoehrmann <derhoermi@gmx.net> Sat, 14 January 2012 17:49 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90AEC21F853B for <apps-discuss@ietfa.amsl.com>; Sat, 14 Jan 2012 09:49:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[AWL=-0.399, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fpYV2kVBPvuU for <apps-discuss@ietfa.amsl.com>; Sat, 14 Jan 2012 09:49:27 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 862FE21F852D for <apps-discuss@ietf.org>; Sat, 14 Jan 2012 09:49:26 -0800 (PST)
Received: (qmail invoked by alias); 14 Jan 2012 17:49:23 -0000
Received: from dslb-094-223-151-066.pools.arcor-ip.net (EHLO HIVE) [94.223.151.66] by mail.gmx.net (mp034) with SMTP; 14 Jan 2012 18:49:23 +0100
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX1/BeL8SnrTB6JI5UHcr+b0GKx23HbQMj+aBdo4kB5 lP5PPq72uCjOIn
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 14 Jan 2012 18:49:30 +0100
Message-ID: <r6e3h7tjp3q1fup4qbkugskociimsvoucs@hive.bjoern.hoehrmann.de>
References: <20120114105523.32324.64307.idtracker@ietfa.amsl.com> <4F116C45.2060605@gmx.de> <8i53h715g9kjghtgqhsjqvb4mdnelqaqa0@hive.bjoern.hoehrmann.de> <4F119EFE.7040106@gmx.de> <qt73h7p28jvcc91at1r4n8c8cpdsetjfod@hive.bjoern.hoehrmann.de> <4F11A526.6020909@gmx.de> <1j93h7du1f85o4egf685k1g8upm4j9fsn4@hive.bjoern.hoehrmann.de> <4F11B832.1040205@gmx.de>
In-Reply-To: <4F11B832.1040205@gmx.de>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: HTTP Working Group <ietf-http-wg@w3.org>, IETF Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] informal Last Call on draft-reschke-http-status-308-02
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2012 17:49:27 -0000

* Julian Reschke wrote:
>> keep Internet Explorer 6 around? It should be possible to make an ex-
>> ample that does not redirect to where you think it would, but I would
>> have to set up a virtual machine for testing and there kinda would be no
>> point if you don't have the right browser to try it.
>
>Could you elaborate about what this has to do with IE6?

Without explicit declarations browsers will auto-detect an encoding and
in case of Internet Explorer 6 that means that some US-ASCII documents
without encoding declarations are treated as UTF-7 encoded documents, so
if you try to redirect to something like /Bj+APY-rn/ IE might end up on
/Björn/ even though "Bj+APY-rn" is "all US-ASCII". That problem was not
specific to Internet Explorer 6, but it's the cheapest target. Avoiding
such misdetection is important for security reasons, so responses with-
out encoding declarations are likely to be or to become security risks.
It's like seeing `"SELECT * FROM table WHERE column = '$user_input';"`
in a PHP tutorial.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/