[websec] Are all the issues filed? (was: Re: Using IETF Tracker for issues on MIME sniffing?)
Adam Barth <ietf@adambarth.com> Sat, 22 October 2011 18:52 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8690121F89B8 for <websec@ietfa.amsl.com>; Sat, 22 Oct 2011 11:52:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.522
X-Spam-Level:
X-Spam-Status: No, score=-0.522 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmtDX4VqXtC5 for <websec@ietfa.amsl.com>; Sat, 22 Oct 2011 11:52:19 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id ACCF021F8677 for <websec@ietf.org>; Sat, 22 Oct 2011 11:52:19 -0700 (PDT)
Received: by iabn5 with SMTP id n5so6853886iab.31 for <websec@ietf.org>; Sat, 22 Oct 2011 11:52:19 -0700 (PDT)
Received: by 10.43.43.130 with SMTP id uc2mr19481467icb.35.1319309539223; Sat, 22 Oct 2011 11:52:19 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id l28sm44635219ibc.3.2011.10.22.11.52.18 (version=SSLv3 cipher=OTHER); Sat, 22 Oct 2011 11:52:18 -0700 (PDT)
Received: by iabn5 with SMTP id n5so6853873iab.31 for <websec@ietf.org>; Sat, 22 Oct 2011 11:52:18 -0700 (PDT)
Received: by 10.42.155.201 with SMTP id v9mr31330558icw.38.1319309538097; Sat, 22 Oct 2011 11:52:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.205.144 with HTTP; Sat, 22 Oct 2011 11:51:48 -0700 (PDT)
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 22 Oct 2011 11:51:48 -0700
Message-ID: <CAJE5ia82hhiyQHboBg5cWLe_=VdSZ1pFgFi0_TiiwgJKxKesfw@mail.gmail.com>
To: Larry Masinter <masinter@adobe.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "websec@ietf.org" <websec@ietf.org>
Subject: [websec] Are all the issues filed? (was: Re: Using IETF Tracker for issues on MIME sniffing?)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2011 18:52:20 -0000
Larry, Have you filed all the issues you'd like addressed? I went though the issue tracker and I only found two: http://wiki.tools.ietf.org/wg/websec/trac/ticket/15 http://wiki.tools.ietf.org/wg/websec/trac/ticket/16 Below you mention "nosniff", but I don't see that in the issue tracker. Please let me know when you've finished filing the issues you care about. Adam On Sat, Oct 15, 2011 at 4:52 PM, Larry Masinter <masinter@adobe.com> wrote: > Could we start using the IETF tracker to keep track of our conversation on the issues on MIME sniffing? > > The interaction with a "nosniff" header should be one issue. > The other three big issues that come to mind are > > * "scope" (do what situations does this apply) > * "opt-in case-by-case" (whether one either sniffs ALWAYS or sniffs NEVER, or whether it's more nuanced and based on expectation) > * "normative algorithm vs. invariants for specifications". > > > I'm willing to write up these issues and the sniffing ones from http://tools.ietf.org/html/draft-masinter-mime-web-info , and I hope we can capture Pete Resnick's issues as well as Alexey's. > > Larry > > > -----Original Message----- > From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of Tobias Gondrom > Sent: Sunday, October 02, 2011 2:44 PM > To: hallam@gmail.com > Cc: websec@ietf.org > Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt > Importance: Low > > <hat="individual"> > Whether browser will implement it, can't tell. Maybe we can learn more when we progress further with the mime-sniff draft. > > I don't have a strong opinion on the nosniff header. > Depending on where the mime-sniff debate will lead us, it might be a way to mitigate concerns that in certain cases you really SHOULD NOT or MUST NOT (RFC2119) sniff. Well and with such a header you could enforce exactly that for your sources, without breaking other unknown things/sites - which is the main reason for many browser vendors to start do sniffing in the first place. > (in one way nosniff could even be a migration path to less sniffing....) > > Best regards, Tobias > > > > On 01/10/11 15:30, Phillip Hallam-Baker wrote: >> On Sat, Oct 1, 2011 at 2:47 AM, Adam Barth<ietf@adambarth.com> wrote: >>> On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst" >>> <duerst@it.aoyama.ac.jp> wrote: >>>> On 2011/09/29 11:45, Adam Barth wrote: >>>>> On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst" >>>>> <duerst@it.aoyama.ac.jp> wrote: >>>>>> On 2011/09/29 8:26, Adam Barth wrote: >>>>>>> As I recall, the nosniff directive is pretty controversial. >>>>>> But then, as I recall, the whole business of sniffing is pretty >>>>>> controversial to start with. Are there differences between the >>>>>> controversiality of sniffing as such and the controversiality of >>>>>> the nosniff directive that explain why one is in the draft and the >>>>>> other is not? >>>>> The reason why one is in and the other isn't is just historical. >>>>> nosniff didn't exist at the time the document was originally written. >>>> Your first answer sounded as if the nosniff directive was too >>>> controversial to be included in any draft, but your second answer >>>> seems to suggest that it was left out by (historical) accident, and >>>> that it might be worth to include it. >>> The essential question isn't whether we should include it in the >>> draft. The essential question is whether folks want to implement it. >>> If no one wants to implement it, putting it in the draft is a >>> negative. If folks want to implement, then we can deal with the >>> controversy. >> +1 >> >> The controversy seems to be of the 'cut off nose to spite face' >> variety. Sniffing is definitely terrible from a security perspective >> but people do it. Java and Java Script were terrible as well but >> people did them and then left the rest of us with a mess that had to >> be fixed slowly over then next ten years. >> >> Sure this is not something we should have to think about but the fact >> is that the browsers do it and it is better for the standards to >> describe what the browsers actually do than what people think they >> should do. >> >> > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec >
- [websec] Are all the issues filed? (was: Re: Usin… Adam Barth
- Re: [websec] Are all the issues filed? (was: Re: … Larry Masinter
- [websec] font sniffing - Re: Are all the issues f… Tobias Gondrom
- Re: [websec] font sniffing - Re: Are all the issu… Adam Barth
- Re: [websec] font sniffing Martin J. Dürst
- Re: [websec] font sniffing Anne van Kesteren
- Re: [websec] font sniffing Tobias Gondrom
- Re: [websec] font sniffing Anne van Kesteren
- Re: [websec] font sniffing Tobias Gondrom
- Re: [websec] font sniffing Anne van Kesteren
- Re: [websec] font sniffing Larry Masinter
- Re: [websec] font sniffing Martin J. Dürst
- Re: [websec] font sniffing Martin J. Dürst
- Re: [websec] font sniffing Anne van Kesteren
- Re: [websec] font sniffing Tobias Gondrom
- Re: [websec] font sniffing Peter Saint-Andre
- Re: [websec] font sniffing Adam Barth
- Re: [websec] font sniffing Peter Saint-Andre
- Re: [websec] font sniffing Anne van Kesteren
- Re: [websec] font sniffing Peter Saint-Andre
- Re: [websec] font sniffing Peter Saint-Andre
- Re: [websec] font sniffing Adam Barth