Re: [websec] scope of mimesniff: roles vs. contexts vs. delivery channels
Tobias Gondrom <tobias.gondrom@gondrom.org> Thu, 12 January 2012 04:11 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F3AA21F8510 for <websec@ietfa.amsl.com>; Wed, 11 Jan 2012 20:11:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.573
X-Spam-Level:
X-Spam-Status: No, score=-96.573 tagged_above=-999 required=5 tests=[AWL=0.205, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id edOz6qzXQMrj for <websec@ietfa.amsl.com>; Wed, 11 Jan 2012 20:11:53 -0800 (PST)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5D421F84F6 for <websec@ietf.org>; Wed, 11 Jan 2012 20:11:52 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=KcE5qCIV3RyJSLwCtXv+V5l274exVwlRjXgQBKnxffSjvUVwzfE0VqZ+izMJ/gZ6R2XFFFAjoqk7P0q89fKnNqtsQNy/y6EZRuekbBnAEBwgibEtOOAWg7MmntD+1s/O; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Priority:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 5992 invoked from network); 12 Jan 2012 05:11:35 +0100
Received: from unknown (HELO ?10.5.8.84?) (61.8.220.69) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 12 Jan 2012 05:11:35 +0100
Message-ID: <4F0E5D73.3030904@gondrom.org>
Date: Thu, 12 Jan 2012 12:11:31 +0800
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111220 Thunderbird/9.0
MIME-Version: 1.0
To: websec@ietf.org
X-Priority: 4 (Low)
References: <C68CB012D9182D408CED7B884F441D4D06123B524F@nambxv01a.corp.adobe.com>
In-Reply-To: <C68CB012D9182D408CED7B884F441D4D06123B524F@nambxv01a.corp.adobe.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] scope of mimesniff: roles vs. contexts vs. delivery channels
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jan 2012 04:11:54 -0000
<hat="individual"> Personally I believe we should include in the scope the possibility of other sniffing contexts (web servers, uploads, filesystem, ....) and actually would feel that this should not add a significant burden on the document. However, if it does add a significant burden/delay on the document I would agree with Bjoern, that rather have a web browser document now than getting stuck discussing the other scenarios. So give it a shot, but if you see too much controversy, reduce the scope. (Thinking about human behaviour: In the end I believe even if we go only with web browser context, if other channels sniff, they will most certainly copy the web browser behaviour anyway - no matter what we say in the RFC.) Best regards, Tobias On 12/01/12 02:36, Larry Masinter wrote: > Going back to the "scope" question, should the mimesniff document cover sniffing in contexts other than browsers, e.g., by web servers during file upload, by proxies or firewalls or gateways, by spiders or search engines, etc.? > > Within the browser context, does it cover sniffing in special applications like font, video, style sheet, script contexts, where more is known about the type that is wanted? > > The dimension of 'roles' is somewhat orthogonal to the dimension we were talking about previously (whether the specification should cover sniffing of content delivered by means other than HTTP. > > It seemed that the sentiment previously was to cover a broad scope of delivery channels: sniffing should cover the broad scope of sniffing of content delivered by FTP or through (mounted) file system access, etc., and that the intent was also to cover a broad scope of contexts (including font, video, style sheet, etc.). > > But what about the other roles? I think we could address them at least to some degree, if only to lay out what the constraints are, or what, say, a firewall should do (scanning content in a firewall should likely scan the data as it might appear in the likely formats that any recipient might interpret the data, for example.) > > Larry > -- > http://larry.masinter.net > > > > > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- [websec] scope of mimesniff: roles vs. contexts v… Larry Masinter
- Re: [websec] scope of mimesniff: roles vs. contex… Bjoern Hoehrmann
- Re: [websec] scope of mimesniff: roles vs. contex… Tobias Gondrom