IETF Logo Mail Archive

Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt

Tobias Gondrom <tobias.gondrom@gondrom.org> Sun, 02 October 2011 21:40 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F13121F8560 for <websec@ietfa.amsl.com>; Sun, 2 Oct 2011 14:40:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.53
X-Spam-Level:
X-Spam-Status: No, score=-96.53 tagged_above=-999 required=5 tests=[AWL=0.248, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9m0hAUSQ7RgS for <websec@ietfa.amsl.com>; Sun, 2 Oct 2011 14:40:47 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 2D0F521F851F for <websec@ietf.org>; Sun, 2 Oct 2011 14:40:47 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=WWGnCWBpRRvyt/IuTcP1y5zS2bgL6b0CU6ZJHIYM1y5dZasYFaeHxCQYatP7bmXjL1JStbre+QoUc5U35i1p35Q4kumbOvOK7qTkee0QP0nd0Dma4wuUKHPJjIvyP0dn; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:X-Priority:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 17759 invoked from network); 2 Oct 2011 23:43:45 +0200
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.65?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 Oct 2011 23:43:45 +0200
Message-ID: <4E88DB11.2010409@gondrom.org>
Date: Sun, 02 Oct 2011 22:43:45 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20110923 Thunderbird/7.0
MIME-Version: 1.0
To: hallam@gmail.com
X-Priority: 4 (Low)
References: <20110508004502.3883.40670.idtracker@ietfa.amsl.com> <4E7DB8E4.9040208@gmx.de> <4E83AA99.6080308@gondrom.org> <CAJE5ia_k3vXWixC6UsJ6mJ08xW8NQO06MVVD9-dzYSOFkDfutg@mail.gmail.com> <4E83BF67.3040207@it.aoyama.ac.jp> <CAJE5ia_b8W0DMZnCmXWYTHwQ-WGpm-Jg+Lozd7UWJPKj6zVqww@mail.gmail.com> <4E86A1B0.3090601@it.aoyama.ac.jp> <CAJE5ia9XO9tKdwE57rCD7KjyFcOFVCZJSNS0T+fBr1fEOF6B7A@mail.gmail.com> <CAMm+Lwio2qvABYkmFRzxs5DHJASpXo_doov9AWsqCSc8ETwyUA@mail.gmail.com>
In-Reply-To: <CAMm+Lwio2qvABYkmFRzxs5DHJASpXo_doov9AWsqCSc8ETwyUA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: websec@ietf.org
Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Oct 2011 21:40:48 -0000

<hat="individual">
Whether browser will implement it, can't tell. Maybe we can learn more 
when we progress further with the mime-sniff draft.

I don't have a strong opinion on the nosniff header.
Depending on where the mime-sniff debate will lead us, it might be a way 
to mitigate concerns that in certain cases you really SHOULD NOT or MUST 
NOT (RFC2119) sniff. Well and with such a header you could enforce 
exactly that for your sources, without breaking other unknown 
things/sites - which is the main reason for many browser vendors to 
start do sniffing in the first place.
(in one way nosniff could even be a migration path to less sniffing....)

Best regards, Tobias



On 01/10/11 15:30, Phillip Hallam-Baker wrote:
> On Sat, Oct 1, 2011 at 2:47 AM, Adam Barth<ietf@adambarth.com>  wrote:
>> On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst"
>> <duerst@it.aoyama.ac.jp>  wrote:
>>> On 2011/09/29 11:45, Adam Barth wrote:
>>>> On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst"
>>>> <duerst@it.aoyama.ac.jp>    wrote:
>>>>> On 2011/09/29 8:26, Adam Barth wrote:
>>>>>> As I recall, the nosniff directive is pretty controversial.
>>>>> But then, as I recall, the whole business of sniffing is pretty
>>>>> controversial to start with. Are there differences between the
>>>>> controversiality of sniffing as such and the controversiality of the
>>>>> nosniff
>>>>> directive that explain why one is in the draft and the other is not?
>>>> The reason why one is in and the other isn't is just historical.
>>>> nosniff didn't exist at the time the document was originally written.
>>> Your first answer sounded as if the nosniff directive was too controversial
>>> to be included in any draft, but your second answer seems to suggest that it
>>> was left out by (historical) accident, and that it might be worth to include
>>> it.
>> The essential question isn't whether we should include it in the
>> draft.  The essential question is whether folks want to implement it.
>> If no one wants to implement it, putting it in the draft is a
>> negative.  If folks want to implement, then we can deal with the
>> controversy.
> +1
>
> The controversy seems to be of the 'cut off nose to spite face'
> variety. Sniffing is definitely terrible from a security perspective
> but people do it. Java and Java Script were terrible as well but
> people did them and then left the rest of us with a mess that had to
> be fixed slowly over then next ten years.
>
> Sure this is not something we should have to think about but the fact
> is that the browsers do it and it is better for the standards to
> describe what the browsers actually do than what people think they
> should do.
>
>

v2.23.0 | Report a Bug | By Email