IETF Logo Mail Archive

[websec] Are all the issues filed? (was: Re: Using IETF Tracker for issues on MIME sniffing?)

Adam Barth <ietf@adambarth.com> Sat, 22 October 2011 18:52 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8690121F89B8 for <websec@ietfa.amsl.com>; Sat, 22 Oct 2011 11:52:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.522
X-Spam-Level:
X-Spam-Status: No, score=-0.522 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmtDX4VqXtC5 for <websec@ietfa.amsl.com>; Sat, 22 Oct 2011 11:52:19 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id ACCF021F8677 for <websec@ietf.org>; Sat, 22 Oct 2011 11:52:19 -0700 (PDT)
Received: by iabn5 with SMTP id n5so6853886iab.31 for <websec@ietf.org>; Sat, 22 Oct 2011 11:52:19 -0700 (PDT)
Received: by 10.43.43.130 with SMTP id uc2mr19481467icb.35.1319309539223; Sat, 22 Oct 2011 11:52:19 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id l28sm44635219ibc.3.2011.10.22.11.52.18 (version=SSLv3 cipher=OTHER); Sat, 22 Oct 2011 11:52:18 -0700 (PDT)
Received: by iabn5 with SMTP id n5so6853873iab.31 for <websec@ietf.org>; Sat, 22 Oct 2011 11:52:18 -0700 (PDT)
Received: by 10.42.155.201 with SMTP id v9mr31330558icw.38.1319309538097; Sat, 22 Oct 2011 11:52:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.205.144 with HTTP; Sat, 22 Oct 2011 11:51:48 -0700 (PDT)
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 22 Oct 2011 11:51:48 -0700
Message-ID: <CAJE5ia82hhiyQHboBg5cWLe_=VdSZ1pFgFi0_TiiwgJKxKesfw@mail.gmail.com>
To: Larry Masinter <masinter@adobe.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "websec@ietf.org" <websec@ietf.org>
Subject: [websec] Are all the issues filed? (was: Re: Using IETF Tracker for issues on MIME sniffing?)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2011 18:52:20 -0000

Larry,

Have you filed all the issues you'd like addressed?  I went though the
issue tracker and I only found two:

http://wiki.tools.ietf.org/wg/websec/trac/ticket/15
http://wiki.tools.ietf.org/wg/websec/trac/ticket/16

Below you mention "nosniff", but I don't see that in the issue
tracker.  Please let me know when you've finished filing the issues
you care about.

Adam


On Sat, Oct 15, 2011 at 4:52 PM, Larry Masinter <masinter@adobe.com> wrote:
> Could we start using the IETF tracker to keep track of our conversation on the issues on MIME sniffing?
>
> The interaction with a "nosniff" header should be one issue.
> The other three big issues that come to mind are
>
> *  "scope" (do what situations does this apply)
>  * "opt-in case-by-case" (whether one either sniffs ALWAYS or sniffs NEVER, or whether it's more nuanced and based on expectation)
> * "normative algorithm vs. invariants for specifications".
>
>
> I'm willing to write up these issues and the sniffing ones from http://tools.ietf.org/html/draft-masinter-mime-web-info , and I hope we can capture Pete Resnick's issues as well as Alexey's.
>
> Larry
>
>
> -----Original Message-----
> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of Tobias Gondrom
> Sent: Sunday, October 02, 2011 2:44 PM
> To: hallam@gmail.com
> Cc: websec@ietf.org
> Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
> Importance: Low
>
> <hat="individual">
> Whether browser will implement it, can't tell. Maybe we can learn more when we progress further with the mime-sniff draft.
>
> I don't have a strong opinion on the nosniff header.
> Depending on where the mime-sniff debate will lead us, it might be a way to mitigate concerns that in certain cases you really SHOULD NOT or MUST NOT (RFC2119) sniff. Well and with such a header you could enforce exactly that for your sources, without breaking other unknown things/sites - which is the main reason for many browser vendors to start do sniffing in the first place.
> (in one way nosniff could even be a migration path to less sniffing....)
>
> Best regards, Tobias
>
>
>
> On 01/10/11 15:30, Phillip Hallam-Baker wrote:
>> On Sat, Oct 1, 2011 at 2:47 AM, Adam Barth<ietf@adambarth.com>  wrote:
>>> On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst"
>>> <duerst@it.aoyama.ac.jp>  wrote:
>>>> On 2011/09/29 11:45, Adam Barth wrote:
>>>>> On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst"
>>>>> <duerst@it.aoyama.ac.jp>    wrote:
>>>>>> On 2011/09/29 8:26, Adam Barth wrote:
>>>>>>> As I recall, the nosniff directive is pretty controversial.
>>>>>> But then, as I recall, the whole business of sniffing is pretty
>>>>>> controversial to start with. Are there differences between the
>>>>>> controversiality of sniffing as such and the controversiality of
>>>>>> the nosniff directive that explain why one is in the draft and the
>>>>>> other is not?
>>>>> The reason why one is in and the other isn't is just historical.
>>>>> nosniff didn't exist at the time the document was originally written.
>>>> Your first answer sounded as if the nosniff directive was too
>>>> controversial to be included in any draft, but your second answer
>>>> seems to suggest that it was left out by (historical) accident, and
>>>> that it might be worth to include it.
>>> The essential question isn't whether we should include it in the
>>> draft.  The essential question is whether folks want to implement it.
>>> If no one wants to implement it, putting it in the draft is a
>>> negative.  If folks want to implement, then we can deal with the
>>> controversy.
>> +1
>>
>> The controversy seems to be of the 'cut off nose to spite face'
>> variety. Sniffing is definitely terrible from a security perspective
>> but people do it. Java and Java Script were terrible as well but
>> people did them and then left the rest of us with a mess that had to
>> be fixed slowly over then next ten years.
>>
>> Sure this is not something we should have to think about but the fact
>> is that the browsers do it and it is better for the standards to
>> describe what the browsers actually do than what people think they
>> should do.
>>
>>
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>

v2.23.0 | Report a Bug | By Email