Re: [websec] #21: sniffing of text/html shouldn't override polyglot label of application/xhtml+xml
Larry Masinter <masinter@adobe.com> Mon, 24 October 2011 16:48 UTC
Return-Path: <masinter@adobe.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8C3021F8D07 for <websec@ietfa.amsl.com>; Mon, 24 Oct 2011 09:48:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.216
X-Spam-Level:
X-Spam-Status: No, score=-106.216 tagged_above=-999 required=5 tests=[AWL=0.383, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mSm1a40WMxsT for <websec@ietfa.amsl.com>; Mon, 24 Oct 2011 09:48:41 -0700 (PDT)
Received: from exprod6og112.obsmtp.com (exprod6og112.obsmtp.com [64.18.1.29]) by ietfa.amsl.com (Postfix) with ESMTP id 103A121F8CFB for <websec@ietf.org>; Mon, 24 Oct 2011 09:48:40 -0700 (PDT)
Received: from outbound-smtp-1.corp.adobe.com ([192.150.11.134]) by exprod6ob112.postini.com ([64.18.5.12]) with SMTP; Mon, 24 Oct 2011 09:48:41 PDT
Received: from inner-relay-1.corp.adobe.com ([153.32.1.51]) by outbound-smtp-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id p9OGl1YE026944; Mon, 24 Oct 2011 09:47:02 -0700 (PDT)
Received: from nahub02.corp.adobe.com (nahub02.corp.adobe.com [10.8.189.98]) by inner-relay-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id p9OGma5R020851; Mon, 24 Oct 2011 09:48:36 -0700 (PDT)
Received: from nambxv01a.corp.adobe.com ([10.8.189.95]) by nahub02.corp.adobe.com ([10.8.189.98]) with mapi; Mon, 24 Oct 2011 09:48:36 -0700
From: Larry Masinter <masinter@adobe.com>
To: Philip Gladstone <pgladsto@cisco.com>, "websec@ietf.org" <websec@ietf.org>
Date: Mon, 24 Oct 2011 09:48:35 -0700
Thread-Topic: [websec] #21: sniffing of text/html shouldn't override polyglot label of application/xhtml+xml
Thread-Index: AcySadRMFPgFBBBXQYi+5uSflnxDSgAArEMw
Message-ID: <C68CB012D9182D408CED7B884F441D4D0605EFA472@nambxv01a.corp.adobe.com>
References: <059.3516e8c3cdad2665b7817e8e50a003a8@trac.tools.ietf.org> <4EA59106.8020702@cisco.com>
In-Reply-To: <4EA59106.8020702@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [websec] #21: sniffing of text/html shouldn't override polyglot label of application/xhtml+xml
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2011 16:48:41 -0000
I don't understand, Philip. A central case of this document involves taking documents that look like text/html but are labeled as text/plain and "sniffing" them to be text/html after all. It's claimed that this is necessary, part of most browsers today, regular practice, etc. Are you opposed to specifying sniffing from text/plain to text/html? In any case? Larry -----Original Message----- From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of Philip Gladstone Sent: Monday, October 24, 2011 9:24 AM To: websec@ietf.org Subject: Re: [websec] #21: sniffing of text/html shouldn't override polyglot label of application/xhtml+xml On 10/23/2011 7:52 PM, websec issue tracker wrote: > > (One still might want to sniff text/html when the type is labeled > text/plain, for example, but not for other polyglot cases.) This would be a disaster. For security reasons, a web server needs to know when a document will be "executed" rather than "displayed". Currently, using text/plain will display any document literally. Causing a document that looks like html to be executed will open lots of web sites to XSS. Philip _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
- [websec] #21: sniffing of text/html shouldn't ove… websec issue tracker
- Re: [websec] #21: sniffing of text/html shouldn't… Philip Gladstone
- Re: [websec] #21: sniffing of text/html shouldn't… Larry Masinter
- Re: [websec] #21: sniffing of text/html shouldn't… Philip Gladstone
- Re: [websec] #21: sniffing of text/html shouldn't… Adam Barth