[websec] #21: sniffing of text/html shouldn't override polyglot label of application/xhtml+xml
"websec issue tracker" <trac+websec@trac.tools.ietf.org> Sun, 23 October 2011 23:52 UTC
Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 050B821F8B51 for <websec@ietfa.amsl.com>; Sun, 23 Oct 2011 16:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VMx7jpzlUohZ for <websec@ietfa.amsl.com>; Sun, 23 Oct 2011 16:52:37 -0700 (PDT)
Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 7A91321F8B2B for <websec@ietf.org>; Sun, 23 Oct 2011 16:52:37 -0700 (PDT)
Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.76) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1RI7qF-0005jd-4g; Sun, 23 Oct 2011 19:52:35 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: websec issue tracker <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.12.2
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.2, by Edgewall Software
To: draft-ietf-websec-mime-sniff@tools.ietf.org, masinter@adobe.com
X-Trac-Project: websec
Date: Sun, 23 Oct 2011 23:52:35 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/21
Message-ID: <059.3516e8c3cdad2665b7817e8e50a003a8@trac.tools.ietf.org>
X-Trac-Ticket-ID: 21
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: draft-ietf-websec-mime-sniff@tools.ietf.org, masinter@adobe.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false
Resent-To:
Resent-Message-Id: <20111023235237.7A91321F8B2B@ietfa.amsl.com>
Resent-Date: Sun, 23 Oct 2011 16:52:37 -0700
Resent-From: trac+websec@trac.tools.ietf.org
Cc: websec@ietf.org
Subject: [websec] #21: sniffing of text/html shouldn't override polyglot label of application/xhtml+xml
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Oct 2011 23:52:38 -0000
#21: sniffing of text/html shouldn't override polyglot label of
application/xhtml+xml
(I have to double check that this is true):
In general, "sniffing" is dangerous in "polyglot" cases where the same
content CAN be served with different media types, where the meaning is the
same or related.
For example, there are types for packaged formats that use ZIP and thus
have the ZIP magic number but aren't served as ZIP, text/plain is
sometimes used to deliver examples of otherwise mal-formed XML, etc.
It would seem better to discourage sniffing in cases where the content is
valid for the type that it's actually labeled, and to treat that as a
special case.
(One still might want to sniff text/html when the type is labeled
text/plain, for example, but not for other polyglot cases.)
--
------------------------+--------------------------------------------
Reporter: masinter@… | Owner: draft-ietf-websec-mime-sniff@…
Type: defect | Status: new
Priority: major | Milestone:
Component: mime-sniff | Version:
Severity: - | Keywords:
------------------------+--------------------------------------------
Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/21>
websec <http://tools.ietf.org/websec/>
- [websec] #21: sniffing of text/html shouldn't ove… websec issue tracker
- Re: [websec] #21: sniffing of text/html shouldn't… Philip Gladstone
- Re: [websec] #21: sniffing of text/html shouldn't… Larry Masinter
- Re: [websec] #21: sniffing of text/html shouldn't… Philip Gladstone
- Re: [websec] #21: sniffing of text/html shouldn't… Adam Barth