Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
Adam Barth <ietf@adambarth.com> Wed, 28 September 2011 23:31 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F101211E8151 for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 16:31:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.06
X-Spam-Level:
X-Spam-Status: No, score=-3.06 tagged_above=-999 required=5 tests=[AWL=-0.083, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hcXKtOFqOwIf for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 16:31:04 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 40C3811E8088 for <websec@ietf.org>; Wed, 28 Sep 2011 16:31:04 -0700 (PDT)
Received: by iaby26 with SMTP id y26so38505iab.31 for <websec@ietf.org>; Wed, 28 Sep 2011 16:33:53 -0700 (PDT)
Received: by 10.231.47.206 with SMTP id o14mr13888608ibf.18.1317252832489; Wed, 28 Sep 2011 16:33:52 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id t9sm475135ibq.11.2011.09.28.16.33.50 (version=SSLv3 cipher=OTHER); Wed, 28 Sep 2011 16:33:51 -0700 (PDT)
Received: by iaby26 with SMTP id y26so38459iab.31 for <websec@ietf.org>; Wed, 28 Sep 2011 16:33:50 -0700 (PDT)
Received: by 10.231.50.202 with SMTP id a10mr14896042ibg.39.1317252830101; Wed, 28 Sep 2011 16:33:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.200.203 with HTTP; Wed, 28 Sep 2011 16:33:20 -0700 (PDT)
In-Reply-To: <4E83AE36.7080008@gondrom.org>
References: <20110508004502.3883.40670.idtracker@ietfa.amsl.com> <4E7DB8E4.9040208@gmx.de> <4E83AA99.6080308@gondrom.org> <CAJE5ia_k3vXWixC6UsJ6mJ08xW8NQO06MVVD9-dzYSOFkDfutg@mail.gmail.com> <4E83AE36.7080008@gondrom.org>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 28 Sep 2011 16:33:20 -0700
Message-ID: <CAJE5ia9MYHSsQCbT5HnE7fT25tq-M3arjHKUbrqJ+NgjeazfJg@mail.gmail.com>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: websec@ietf.org
Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2011 23:31:05 -0000
That's treated as text/plain, for what it's worth. Strangely, it's more common to get an empty content type with a nosniff directive than without one (by a few fractions of a percent). Adam On Wed, Sep 28, 2011 at 4:31 PM, Tobias Gondrom <tobias.gondrom@gondrom.org> wrote: > I can imagine. As there come problems with it, just thinking of empty > content-types and then forbidding to sniff. Just a thought. > > Tobias > > > On 29/09/11 00:26, Adam Barth wrote: >> >> As I recall, the nosniff directive is pretty controversial. >> >> Adam >> >> >> On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom >> <tobias.gondrom@gondrom.org> wrote: >>> >>> Hello, >>> >>> although this has been around for a while, just stumbled again over this >>> http header when I analysed the bits on the wire of some web >>> applications: >>> >>> X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The >>> header instructs the browser not to override the response content type. >>> For >>> example, some browsers try to be smart by deciding for themselves if the >>> content is really is text/html or an image. So with the nosniff option, >>> if >>> the server says the content is text/html, then the browser needs to >>> render >>> it as text/html. >>> >>> Is this something we should mention in mime-sniff or even consider to >>> encourage? >>> >>> Kind regards, Tobias >>> >>> >>>> On 2011-05-08 02:45, Internet-Drafts@ietf.org wrote: >>>>> >>>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>>> directories. >>>>> This draft is a work item of the Web Security Working Group of the >>>>> IETF. >>>>> >>>>> >>>>> Title : Media Type Sniffing >>>>> Author(s) : A. Barth, I. Hickson >>>>> Filename : draft-ietf-websec-mime-sniff-03.txt >>>>> Pages : 24 >>>>> Date : 2011-05-07 >>>>> ... >>> >>> _______________________________________________ >>> websec mailing list >>> websec@ietf.org >>> https://www.ietf.org/mailman/listinfo/websec >>> > >
- [websec] I-D Action:draft-ietf-websec-mime-sniff-… Internet-Drafts
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Julian Reschke
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Alexey Melnikov
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Martin J. Dürst
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Martin J. Dürst
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Phillip Hallam-Baker
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Bjoern Hoehrmann