[websec] scope of mimesniff: roles vs. contexts vs. delivery channels
Larry Masinter <masinter@adobe.com> Wed, 11 January 2012 18:36 UTC
Return-Path: <masinter@adobe.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E1D011E80AA for <websec@ietfa.amsl.com>; Wed, 11 Jan 2012 10:36:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.599
X-Spam-Level:
X-Spam-Status: No, score=-107.599 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uy0KFLj2bjpj for <websec@ietfa.amsl.com>; Wed, 11 Jan 2012 10:36:56 -0800 (PST)
Received: from exprod6ob111.obsmtp.com (exprod6ob111.obsmtp.com [64.18.1.26]) by ietfa.amsl.com (Postfix) with ESMTP id B45E521F8747 for <websec@ietf.org>; Wed, 11 Jan 2012 10:36:56 -0800 (PST)
Received: from outbound-smtp-1.corp.adobe.com ([192.150.11.134]) by exprod6ob111.postini.com ([64.18.5.12]) with SMTP ID DSNKTw3WuRmxjcNq3ljSX3MvOmo9nIQQKejL@postini.com; Wed, 11 Jan 2012 10:36:56 PST
Received: from inner-relay-1.corp.adobe.com ([153.32.1.51]) by outbound-smtp-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id q0BIYoaa029442 for <websec@ietf.org>; Wed, 11 Jan 2012 10:34:51 -0800 (PST)
Received: from nahub01.corp.adobe.com (nahub01.corp.adobe.com [10.8.189.97]) by inner-relay-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id q0BIadL7003411 for <websec@ietf.org>; Wed, 11 Jan 2012 10:36:40 -0800 (PST)
Received: from nambxv01a.corp.adobe.com ([10.8.189.95]) by nahub01.corp.adobe.com ([10.8.189.97]) with mapi; Wed, 11 Jan 2012 10:36:39 -0800
From: Larry Masinter <masinter@adobe.com>
To: "websec@ietf.org" <websec@ietf.org>
Date: Wed, 11 Jan 2012 10:36:37 -0800
Thread-Topic: scope of mimesniff: roles vs. contexts vs. delivery channels
Thread-Index: AczQj/N+gIPylIvgSWKoZYFqd9Dq2Q==
Message-ID: <C68CB012D9182D408CED7B884F441D4D06123B524F@nambxv01a.corp.adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [websec] scope of mimesniff: roles vs. contexts vs. delivery channels
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2012 18:36:57 -0000
Going back to the "scope" question, should the mimesniff document cover sniffing in contexts other than browsers, e.g., by web servers during file upload, by proxies or firewalls or gateways, by spiders or search engines, etc.? Within the browser context, does it cover sniffing in special applications like font, video, style sheet, script contexts, where more is known about the type that is wanted? The dimension of 'roles' is somewhat orthogonal to the dimension we were talking about previously (whether the specification should cover sniffing of content delivered by means other than HTTP. It seemed that the sentiment previously was to cover a broad scope of delivery channels: sniffing should cover the broad scope of sniffing of content delivered by FTP or through (mounted) file system access, etc., and that the intent was also to cover a broad scope of contexts (including font, video, style sheet, etc.). But what about the other roles? I think we could address them at least to some degree, if only to lay out what the constraints are, or what, say, a firewall should do (scanning content in a firewall should likely scan the data as it might appear in the likely formats that any recipient might interpret the data, for example.) Larry -- http://larry.masinter.net
- [websec] scope of mimesniff: roles vs. contexts v… Larry Masinter
- Re: [websec] scope of mimesniff: roles vs. contex… Bjoern Hoehrmann
- Re: [websec] scope of mimesniff: roles vs. contex… Tobias Gondrom