IETF Logo Mail Archive

Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt

Adam Barth <ietf@adambarth.com> Thu, 29 September 2011 02:43 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E92641F0D20 for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 19:43:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.908
X-Spam-Level:
X-Spam-Status: No, score=-2.908 tagged_above=-999 required=5 tests=[AWL=-0.231, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bMPKRC5WTXiW for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 19:43:18 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 55C551F0C3E for <websec@ietf.org>; Wed, 28 Sep 2011 19:43:18 -0700 (PDT)
Received: by iaby26 with SMTP id y26so204946iab.31 for <websec@ietf.org>; Wed, 28 Sep 2011 19:46:08 -0700 (PDT)
Received: by 10.231.8.35 with SMTP id f35mr14150246ibf.4.1317264365024; Wed, 28 Sep 2011 19:46:05 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id 37sm353395iba.5.2011.09.28.19.46.03 (version=SSLv3 cipher=OTHER); Wed, 28 Sep 2011 19:46:04 -0700 (PDT)
Received: by iaby26 with SMTP id y26so204867iab.31 for <websec@ietf.org>; Wed, 28 Sep 2011 19:46:03 -0700 (PDT)
Received: by 10.231.51.4 with SMTP id b4mr13881732ibg.99.1317264363061; Wed, 28 Sep 2011 19:46:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.200.203 with HTTP; Wed, 28 Sep 2011 19:45:33 -0700 (PDT)
In-Reply-To: <4E83BF67.3040207@it.aoyama.ac.jp>
References: <20110508004502.3883.40670.idtracker@ietfa.amsl.com> <4E7DB8E4.9040208@gmx.de> <4E83AA99.6080308@gondrom.org> <CAJE5ia_k3vXWixC6UsJ6mJ08xW8NQO06MVVD9-dzYSOFkDfutg@mail.gmail.com> <4E83BF67.3040207@it.aoyama.ac.jp>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 28 Sep 2011 19:45:33 -0700
Message-ID: <CAJE5ia_b8W0DMZnCmXWYTHwQ-WGpm-Jg+Lozd7UWJPKj6zVqww@mail.gmail.com>
To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: websec@ietf.org
Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2011 02:43:19 -0000

On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst"
<duerst@it.aoyama.ac.jp> wrote:
> On 2011/09/29 8:26, Adam Barth wrote:
>>
>> As I recall, the nosniff directive is pretty controversial.
>
> But then, as I recall, the whole business of sniffing is pretty
> controversial to start with. Are there differences between the
> controversiality of sniffing as such and the controversiality of the nosniff
> directive that explain why one is in the draft and the other is not?

The reason why one is in and the other isn't is just historical.
nosniff didn't exist at the time the document was originally written.

Adam


>> On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom
>> <tobias.gondrom@gondrom.org>  wrote:
>>>
>>> Hello,
>>>
>>> although this has been around for a while, just stumbled again over this
>>> http header when I analysed the bits on the wire of some web
>>> applications:
>>>
>>> X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The
>>> header instructs the browser not to override the response content type.
>>> For
>>> example, some browsers try to be smart by deciding for themselves if the
>>> content is really is text/html or an image. So with the nosniff option,
>>> if
>>> the server says the content is text/html, then the browser needs to
>>> render
>>> it as text/html.
>>>
>>> Is this something we should mention in mime-sniff or even consider to
>>> encourage?
>>>
>>> Kind regards, Tobias
>>>
>>>
>>>> On 2011-05-08 02:45, Internet-Drafts@ietf.org wrote:
>>>>>
>>>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>>>> directories.
>>>>> This draft is a work item of the Web Security Working Group of the
>>>>> IETF.
>>>>>
>>>>>
>>>>> Title : Media Type Sniffing
>>>>> Author(s) : A. Barth, I. Hickson
>>>>> Filename : draft-ietf-websec-mime-sniff-03.txt
>>>>> Pages : 24
>>>>> Date : 2011-05-07
>>>>> ...
>>>>
>>>
>>> _______________________________________________
>>> websec mailing list
>>> websec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/websec
>>>
>> _______________________________________________
>> websec mailing list
>> websec@ietf.org
>> https://www.ietf.org/mailman/listinfo/websec
>>
>

v2.23.0 | Report a Bug | By Email