IETF Logo Mail Archive

Re: [websec] #22: content-type sniffing should include charset sniffing

Tobias Gondrom <tobias.gondrom@gondrom.org> Mon, 24 October 2011 07:08 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C24FD21F8B4F for <websec@ietfa.amsl.com>; Mon, 24 Oct 2011 00:08:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.55
X-Spam-Level:
X-Spam-Status: No, score=-95.55 tagged_above=-999 required=5 tests=[AWL=-1.227, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FRT_ADOBE2=2.455, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1brX4BGuXnzF for <websec@ietfa.amsl.com>; Mon, 24 Oct 2011 00:08:05 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 53AE521F877F for <websec@ietf.org>; Mon, 24 Oct 2011 00:08:04 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=icFmAp/vHOigRvNVgfQYVgbni44csmaH08CZtsUngXv7wM+mKHJRP3nM4KR57YiIyGQdemjPVgdRmdDRyqeZib91/2w+LYyFLlKTxuTPbaxusR0gHFCn/SEl6IliavWy; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 26364 invoked from network); 24 Oct 2011 09:07:06 +0200
Received: from unknown (HELO ?10.5.5.61?) (61.8.220.69) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 24 Oct 2011 09:07:06 +0200
Message-ID: <4EA50E9A.60407@gondrom.org>
Date: Mon, 24 Oct 2011 08:07:06 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20110923 Thunderbird/7.0
MIME-Version: 1.0
To: websec@ietf.org
References: <059.f8bc48a3163d95d888ee3a23a2ca7fb9@trac.tools.ietf.org> <4EA4DA67.3000502@gondrom.org> <CAJE5ia_7PO_g-0P9OvXsSazwkTkgWz6-Vs4N5tFvg=VygfFt5g@mail.gmail.com> <C68CB012D9182D408CED7B884F441D4D0605EFA3C4@nambxv01a.corp.adobe.com> <CAJE5ia_tq8D4wTc51rMV68N6KhUTMpeT_FTW6Xag7bT76tz5Xw@mail.gmail.com> <C68CB012D9182D408CED7B884F441D4D0605EFA3C6@nambxv01a.corp.adobe.com> <4EA5079B.9050700@it.aoyama.ac.jp> <C68CB012D9182D408CED7B884F441D4D0605EFA3CF@nambxv01a.corp.adobe.com>
In-Reply-To: <C68CB012D9182D408CED7B884F441D4D0605EFA3CF@nambxv01a.corp.adobe.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [websec] #22: content-type sniffing should include charset sniffing
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2011 07:08:06 -0000

<hat="individual">
Well, I don't feel that looking at the octets aka magic numbers is a 
"superficial work-around", rather find it a reasonable argument.
Personally, I don't think we need to go into charset-sniffing in the 
draft, but if you can make it an uncomplicated sub-set of some of the 
content-types, it probably won't harm.

However, I have some doubts that we can limit the extend of 
charset-sniffing to a small area in the draft as discussed and may not 
end up with a whole other set of additional problems.... - in which case 
I would rather like to see the content-type sniffed and talk about 
charset-sniffing in another draft - if we want to go there...

just my 5cents, Tobias



On 24/10/11 07:47, Larry Masinter wrote:
> The charset sniffing documentation in the HTML5 document isn't all that complicated, anyway.
>
> And it has to be somewhere.
>
> What's the point of standardizing sniffing of the internet media type without also standardizing the sniffing of all of the relevant parameters.... the goal is to sniff the content-type, the media type by itself isn't what's used.
> It's just for text and xml types, the 'charset' parameter is already there.
>
> Also, the algorithm in the document currently is incomplete and inappropriate if you're going to sniff XML-based media types, so the fact that the current algorithm can get away with hiding "charset guessing" as if it were just on octets and not the characters -- well, that's just a superficial work-around.
>
> Larry
>
>
> -----Original Message-----
> From: "Martin J. Dürst" [mailto:duerst@it.aoyama.ac.jp]
> Sent: Sunday, October 23, 2011 11:37 PM
> To: Larry Masinter
> Cc: Adam Barth; websec@ietf.org
> Subject: Re: [websec] #22: content-type sniffing should include charset sniffing
>
> I agree with Adam and Tobias that we should not pull all of charset sniffing into this document. Many charset details depend on the mime type in the first place, and are carefully described in the respective specs. For some transfer protocols, the question of charset may be irrelevant (e.g. for text over Websocket, which prescribes and checks for UTF-8).
>
> Larry is right that in some cases, some preliminary charset sniffing is necessary to get at some information at the start of the document, but I think we should strictly limit this draft to these cases.
>
> Regards,    Martin.
>
> On 2011/10/24 13:14, Larry Masinter wrote:
>> I was talking about the necessary dependency of the specifications -- that you couldn't specify media type sniffing completely without making at least a normative reference to charset sniffing.
>>
>> The fact that the code works that way is evidence, of course, but
>> we're not talking about possibility of implementation (where a single
>> implementation is evidence) but rather orthogonality of interfaces
>> (where the question is whether ALL implementations must follow this
>> pattern.)
>>
>> Larry
>>
>>
>>
>>
>> -----Original Message-----
>> From: Adam Barth [mailto:ietf@adambarth.com]
>> Sent: Sunday, October 23, 2011 8:37 PM
>> To: Larry Masinter
>> Cc: Tobias Gondrom; websec@ietf.org
>> Subject: Re: [websec] #22: content-type sniffing should include
>> charset sniffing
>>
>> I mean, that's how the code works, so it must be possible.  :)
>>
>> Adam
>>
>>
>> On Sun, Oct 23, 2011 at 8:32 PM, Larry Masinter<masinter@adobe.com>   wrote:
>>> I know it's complicated, but scanning text is necessarily part of determining which application/something+xml  you have.  I think (but should really check before saying this) that XML media type registrations describe what the DOCTYPE or XML namespace or root element are, and that, to properly "sniff" them, you'd have to scan text. But before you scan text, you have to determine charset.
>>>
>>> So if we're going to support sniffing of media types in general, I don't see how we can do that without also specifying charset determination.
>>>
>>>
>>>
>>> Larry
>>> ]
>>>
>>> -----Original Message-----
>>> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On
>>> Behalf Of Adam Barth
>>> Sent: Sunday, October 23, 2011 8:28 PM
>>> To: Tobias Gondrom
>>> Cc: websec@ietf.org
>>> Subject: Re: [websec] #22: content-type sniffing should include
>>> charset sniffing
>>>
>>> The charset sniffing is also complicated by the fact that sometimes user agents need to parse some of the HTML to find a<meta>   element.
>>> In some situations, user agents need to restart the parsing algorithm, which is quite delicate and better to describe in the same document as HTML parsing (at least for use by HTML processing engines).
>>>
>>> Adam
>>>
>>>
>>> On Sun, Oct 23, 2011 at 8:24 PM, Tobias Gondrom<tobias.gondrom@gondrom.org>   wrote:
>>>> <hat="individual">
>>>> I tend not to agree with that.
>>>>
>>>> The fact that charset sniffing might happen at the same time as
>>>> mime-sniffing does not seem like a strong argument to include this
>>>> in the draft.
>>>>
>>>> Furthermore I would rather have these issues separate:
>>>> First you determine the content-type and then after that you may
>>>> want to determine the charset used within that content-type (if you
>>>> really have to sniff the charset). I can also imagine that charset
>>>> sniffing algorithm might be depending on the application identified
>>>> by the sniffed mime-type, which again would speak against throwing it in together with mime-sniffing....
>>>>
>>>> Kind regards, Tobias
>>>>
>>>>
>>>>
>>>> On 24/10/11 00:55, websec issue tracker wrote:
>>>>> #22: content-type sniffing should include charset sniffing
>>>>>
>>>>>    the HTML5 spec contains some algorithms for sniffing charset,
>>>>> overriding
>>>>>    labeled charset, etc.
>>>>>
>>>>>    MIME parameters like charset are as much a part of the
>>>>> content-type as the
>>>>>    base internet media type, and any sniffing of parameters and other
>>>>>    metadata (overriding content-type or guessing where it is not
>>>>> supplied or
>>>>>    wrong) should be included in this document, since the sniffing
>>>>> will happen
>>>>>    at the same time.
>>>>>
>>>> _______________________________________________
>>>> websec mailing list
>>>> websec@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/websec
>>>>
>>> _______________________________________________
>>> websec mailing list
>>> websec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/websec
>>>
>> _______________________________________________
>> websec mailing list
>> websec@ietf.org
>> https://www.ietf.org/mailman/listinfo/websec
>>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec

v2.23.0 | Report a Bug | By Email