Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
"Martin J. Dürst" <duerst@it.aoyama.ac.jp> Thu, 29 September 2011 00:41 UTC
Return-Path: <duerst@it.aoyama.ac.jp>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE4F11E816E for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 17:41:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.751
X-Spam-Level:
X-Spam-Status: No, score=-99.751 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmTF9wn0+gec for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 17:41:50 -0700 (PDT)
Received: from scintmta01.scbb.aoyama.ac.jp (scintmta01.scbb.aoyama.ac.jp [133.2.253.33]) by ietfa.amsl.com (Postfix) with ESMTP id DAE0C11E8169 for <websec@ietf.org>; Wed, 28 Sep 2011 17:41:48 -0700 (PDT)
Received: from scmse01.scbb.aoyama.ac.jp ([133.2.253.231]) by scintmta01.scbb.aoyama.ac.jp (secret/secret) with SMTP id p8T0iR6V008384 for <websec@ietf.org>; Thu, 29 Sep 2011 09:44:27 +0900
Received: from (unknown [133.2.206.133]) by scmse01.scbb.aoyama.ac.jp with smtp id 1c50_0896_2f48e60a_ea34_11e0_99a2_001d096c566a; Thu, 29 Sep 2011 09:44:27 +0900
Received: from [IPv6:::1] ([133.2.210.1]:56894) by itmail.it.aoyama.ac.jp with [XMail 1.22 ESMTP Server] id <S1555FB0> for <websec@ietf.org> from <duerst@it.aoyama.ac.jp>; Thu, 29 Sep 2011 09:44:30 +0900
Message-ID: <4E83BF67.3040207@it.aoyama.ac.jp>
Date: Thu, 29 Sep 2011 09:44:23 +0900
From: "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
Organization: Aoyama Gakuin University
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9) Gecko/20100722 Eudora/3.0.4
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <20110508004502.3883.40670.idtracker@ietfa.amsl.com> <4E7DB8E4.9040208@gmx.de> <4E83AA99.6080308@gondrom.org> <CAJE5ia_k3vXWixC6UsJ6mJ08xW8NQO06MVVD9-dzYSOFkDfutg@mail.gmail.com>
In-Reply-To: <CAJE5ia_k3vXWixC6UsJ6mJ08xW8NQO06MVVD9-dzYSOFkDfutg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: websec@ietf.org
Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2011 00:41:50 -0000
On 2011/09/29 8:26, Adam Barth wrote: > As I recall, the nosniff directive is pretty controversial. But then, as I recall, the whole business of sniffing is pretty controversial to start with. Are there differences between the controversiality of sniffing as such and the controversiality of the nosniff directive that explain why one is in the draft and the other is not? Regards, Martin. > Adam > > > On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom > <tobias.gondrom@gondrom.org> wrote: >> Hello, >> >> although this has been around for a while, just stumbled again over this >> http header when I analysed the bits on the wire of some web applications: >> >> X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The >> header instructs the browser not to override the response content type. For >> example, some browsers try to be smart by deciding for themselves if the >> content is really is text/html or an image. So with the nosniff option, if >> the server says the content is text/html, then the browser needs to render >> it as text/html. >> >> Is this something we should mention in mime-sniff or even consider to >> encourage? >> >> Kind regards, Tobias >> >> >>> On 2011-05-08 02:45, Internet-Drafts@ietf.org wrote: >>>> >>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>> directories. >>>> This draft is a work item of the Web Security Working Group of the IETF. >>>> >>>> >>>> Title : Media Type Sniffing >>>> Author(s) : A. Barth, I. Hickson >>>> Filename : draft-ietf-websec-mime-sniff-03.txt >>>> Pages : 24 >>>> Date : 2011-05-07 >>>> ... >>> >> >> _______________________________________________ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec >> > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec >
- [websec] I-D Action:draft-ietf-websec-mime-sniff-… Internet-Drafts
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Julian Reschke
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Alexey Melnikov
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Martin J. Dürst
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Martin J. Dürst
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Phillip Hallam-Baker
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Bjoern Hoehrmann