[websec] draft-ietf-websec-mime-sniff - questions
Tobias Gondrom <tobias.gondrom@gondrom.org> Tue, 25 January 2011 19:13 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@core3.amsl.com
Delivered-To: websec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 190193A6876 for <websec@core3.amsl.com>; Tue, 25 Jan 2011 11:13:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -93.912
X-Spam-Level:
X-Spam-Status: No, score=-93.912 tagged_above=-999 required=5 tests=[AWL=0.850, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FYvDCc-707cu for <websec@core3.amsl.com>; Tue, 25 Jan 2011 11:13:19 -0800 (PST)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by core3.amsl.com (Postfix) with ESMTP id 532FA3A680A for <websec@ietf.org>; Tue, 25 Jan 2011 11:13:19 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=teUgSdfz/Nr3WZYHkG654+7I9wUhXcD5sljQHsNQruU+5MUj/WtBStM2Sv6Lz0Eh+B/UoHGnehpLz5jy7BI1uEq3Smu32VNfnbgYWWteSkAjUJT0nQ3wG0T/wQPWNng1; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 30134 invoked from network); 25 Jan 2011 20:15:02 +0100
Received: from host-52-160.london.edu (HELO seraphim.heaven) (163.119.52.160) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 25 Jan 2011 20:15:02 +0100
Message-ID: <4D3F2164.2050401@gondrom.org>
Date: Tue, 25 Jan 2011 19:15:48 +0000
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 SUSE/3.1.7 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: ietf@adambarth.com, websec@ietf.org
References: <AANLkTimrfDk9QeNYJE_kjqiRL54XqSwO06izLdwAZHjE@mail.gmail.com>
In-Reply-To: <AANLkTimrfDk9QeNYJE_kjqiRL54XqSwO06izLdwAZHjE@mail.gmail.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [websec] draft-ietf-websec-mime-sniff - questions
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2011 19:13:21 -0000
Hello Adam, hello fellow websec members,
thanks a lot for the new version.
Just been reading through your draft again and have a few questions and
comments (as an individual, not in my WG chair role):
0. unfortunately don't know too much about video format sniffing, so
hope someone else can help with MP3 and H.264?
1. in section 2, page 5: a note states: "If an HTTP response contains
multiple Content-Type header fields, the user agent MUST use the
textually last Content-Type header field to the official-type.For
example, if the last Content-Type header field contains the value "foo",
then there is no official media type because "foo" cannot be interpreted
as a media type (even if the HTTP response contains another Content-Type
header field that could be interpreted as a media type)."
Question: Does this derive from a requirement in RFC2616 or is this your
recommendation and if the latter why can't a user agent use a
content-type he supports?
2. And regarding Mime-sniffing when a content-type is set:
Although rfc2616 states that mime-types may only be guessed by a
recipient, do you know whether common browser implementations guess the
mime-type even when the content-type is given (I believe to remember to
have run into this in some windows scenarios when the browser read the
content-type and handed the data over to the OS for display and the OS
then determined a different media-type (using magic numbers,
filename-extensions, etc.) and again opened a totally different
application. Are you aware whether this is still true?
(RFC2616, section 7.2.1 "Any HTTP/1.1 message containing an entity-body
SHOULD include a Content-Type header field defining the media type of
that body. If and only if the media type is not given by a Content-Type
field, the recipient MAY attempt to guess the media type via inspection
of its content and/or the name extension(s) of the URI used to identify
the resource. If the media type remains unknown, the recipient SHOULD
treat it as type "application/octet-stream".")
3. In section 5 I noticed that you classified postscript as "safe".
Am not sure whether this problem still exists, but I recall an instance
a few years back when I actually saw an attack using a postscript file,
that contained a script that would be executed on the server when the
file was rendered by a postscript library to another format (e.g. the
script then kicked in and started printing s.th.)
This flaw may not have been due to postscript, but only due to the
library, but am not sure that postscript specification doesn't contain
any scriptable content (file operations, printing) anymore?
and some more strategic questions:
4. What do you think, should we consider that a server be able to
declare in the http header that the client "MUST not" use mime-sniffing
and by this enforce a stricter mime-identification policy at the client?
5. And on another note, how do you think about different levels of
strictness (either to be set in the client and/or in the server (http
header): for example to illustrate this more, three levels:
a) disable mime-sniffing,
b) conservative mime-identification,
c) flexible mime identification.
6. and maybe stupid question:
In section 6: Why does svg+xml get a special treatment?
("If the official-type is "image/svg+xml", then let the sniffed-type be
the official-type (an XML type) and abort these steps.")
Many greetings
Tobias
On 01/24/2011 10:35 PM, Adam Barth wrote:
> Websecians,
>
> I've uploaded a new draft of draft-ietf-websec-mime-sniff that
> contains a handful of signatures for video and audio types supported
> by web browsers:
>
> http://www.ietf.org/id/draft-ietf-websec-mime-sniff-01.txt
>
> I've been trying to avoid getting embroiled in the video/audio format
> mess, but several folks have asked me to add this information to the
> document so that browsers can improve their interoperability.
>
> As you can see, I've added WebP, Ogg, WAVE, and WebM:
>
> http://tools.ietf.org//rfcdiff?url1=http%3A//www.ietf.org/id/draft-ietf-websec-mime-sniff-00.txt&url2=http%3A//www.ietf.org/id/draft-ietf-websec-mime-sniff-01.txt
>
> I would like to add MP3 and H.264 as well, but I'm unsure which
> signatures to use. If you know which signatures we should use for
> these formats, please let me know. Also, note that
> http://www.w3.org/html/wg/wiki/ChangeProposals/NoVideoContentType will
> likely have an effect on how we'll want to treat sniffing video,
> depending on whether that change proposal prevails.
>
> Thanks,
> Adam
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
- [websec] Video and audio types added to draft-iet… Adam Barth
- [websec] draft-ietf-websec-mime-sniff - questions Tobias Gondrom
- Re: [websec] draft-ietf-websec-mime-sniff - quest… Julian Reschke
- Re: [websec] draft-ietf-websec-mime-sniff - quest… Adam Barth