IETF Logo Mail Archive

Re: [websec] Minor feedback on draft-ietf-websec-mime-sniff-03

Julian Reschke <julian.reschke@gmx.de> Sun, 15 January 2012 21:01 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EEEC21F8474 for <websec@ietfa.amsl.com>; Sun, 15 Jan 2012 13:01:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.596
X-Spam-Level:
X-Spam-Status: No, score=-103.596 tagged_above=-999 required=5 tests=[AWL=-0.997, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hWRmEpASIw7p for <websec@ietfa.amsl.com>; Sun, 15 Jan 2012 13:01:05 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 6CB9621F8464 for <websec@ietf.org>; Sun, 15 Jan 2012 13:01:04 -0800 (PST)
Received: (qmail invoked by alias); 15 Jan 2012 21:00:45 -0000
Received: from p3EE26642.dip.t-dialin.net (EHLO [192.168.178.36]) [62.226.102.66] by mail.gmx.net (mp018) with SMTP; 15 Jan 2012 22:00:45 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+MxJ0eQCKMtAIIzafjZAv8BswRYyzyHcnmD+BdVW pOfUKkNVCU5aG4
Message-ID: <4F133E75.2000204@gmx.de>
Date: Sun, 15 Jan 2012 22:00:37 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <20120115195120.GG32205@1wt.eu> <CAJE5ia_gBJ=7DviO5hkmqnXHtC8ptHyKAMieBrFbVV-h9rQo9g@mail.gmail.com> <20120115204154.GH32205@1wt.eu> <CAJE5ia9vPmkMB-NkF-5PRzd2UZcrnSvmVPNYX3XvA80HMeVvEw@mail.gmail.com>
In-Reply-To: <CAJE5ia9vPmkMB-NkF-5PRzd2UZcrnSvmVPNYX3XvA80HMeVvEw@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: ian@hixie.ch, websec@ietf.org, Willy Tarreau <w@1wt.eu>
Subject: Re: [websec] Minor feedback on draft-ietf-websec-mime-sniff-03
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2012 21:01:05 -0000

On 2012-01-15 21:53, Adam Barth wrote:
> On Sun, Jan 15, 2012 at 12:41 PM, Willy Tarreau<w@1wt.eu>  wrote:
>> On Sun, Jan 15, 2012 at 11:52:38AM -0800, Adam Barth wrote:
>>> The requirement in the spec is what we intend.  The rule applies only
>>> to that exact octet sequence.
>>
>> But then what are the impacts of not matching the correct content-type ?
>
> I'm not sure I understand your question.  Can you explain a scenario
> in which something happens that causes someone to be sad with the
> current requirements?
>
> Adam

Translating Adam: matching only some specific header field instances is 
intentional, as these are the ones we know misconfigured servers send.

(right?)

It wouldn't hurt if the spec would explain that choice, if it doesn't 
right now.

Best regards, Julian

v2.23.0 | Report a Bug | By Email