Larry,
Have you filed all the issues you'd like addressed? I went though the
issue tracker and I only found two:
http://wiki.tools.ietf.org/wg/websec/trac/ticket/15
http://wiki.tools.ietf.org/wg/websec/trac/ticket/16
Below you mention nosniff, but I don't see that in the issue
tracker. Please let me know when you've finished filing the issues
you care about.
Adam
On Sat, Oct 15, 2011 at 4:52 PM, Larry Masinter masin...@adobe.com wrote:
Could we start using the IETF tracker to keep track of our conversation on
the issues on MIME sniffing?
The interaction with a nosniff header should be one issue.
The other three big issues that come to mind are
* scope (do what situations does this apply)
* opt-in case-by-case (whether one either sniffs ALWAYS or sniffs NEVER,
or whether it's more nuanced and based on expectation)
* normative algorithm vs. invariants for specifications.
I'm willing to write up these issues and the sniffing ones from
http://tools.ietf.org/html/draft-masinter-mime-web-info , and I hope we can
capture Pete Resnick's issues as well as Alexey's.
Larry
-Original Message-
From: websec-boun...@ietf.org [mailto:websec-boun...@ietf.org] On Behalf Of
Tobias Gondrom
Sent: Sunday, October 02, 2011 2:44 PM
To: hal...@gmail.com
Cc: websec@ietf.org
Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
Importance: Low
hat=individual
Whether browser will implement it, can't tell. Maybe we can learn more when
we progress further with the mime-sniff draft.
I don't have a strong opinion on the nosniff header.
Depending on where the mime-sniff debate will lead us, it might be a way to
mitigate concerns that in certain cases you really SHOULD NOT or MUST NOT
(RFC2119) sniff. Well and with such a header you could enforce exactly that
for your sources, without breaking other unknown things/sites - which is the
main reason for many browser vendors to start do sniffing in the first place.
(in one way nosniff could even be a migration path to less sniffing)
Best regards, Tobias
On 01/10/11 15:30, Phillip Hallam-Baker wrote:
On Sat, Oct 1, 2011 at 2:47 AM, Adam Barthi...@adambarth.com wrote:
On Fri, Sep 30, 2011 at 10:14 PM, Martin J. Dürst
due...@it.aoyama.ac.jp wrote:
On 2011/09/29 11:45, Adam Barth wrote:
On Wed, Sep 28, 2011 at 5:44 PM, Martin J. Dürst
due...@it.aoyama.ac.jp wrote:
On 2011/09/29 8:26, Adam Barth wrote:
As I recall, the nosniff directive is pretty controversial.
But then, as I recall, the whole business of sniffing is pretty
controversial to start with. Are there differences between the
controversiality of sniffing as such and the controversiality of
the nosniff directive that explain why one is in the draft and the
other is not?
The reason why one is in and the other isn't is just historical.
nosniff didn't exist at the time the document was originally written.
Your first answer sounded as if the nosniff directive was too
controversial to be included in any draft, but your second answer
seems to suggest that it was left out by (historical) accident, and
that it might be worth to include it.
The essential question isn't whether we should include it in the
draft. The essential question is whether folks want to implement it.
If no one wants to implement it, putting it in the draft is a
negative. If folks want to implement, then we can deal with the
controversy.
+1
The controversy seems to be of the 'cut off nose to spite face'
variety. Sniffing is definitely terrible from a security perspective
but people do it. Java and Java Script were terrible as well but
people did them and then left the rest of us with a mess that had to
be fixed slowly over then next ten years.
Sure this is not something we should have to think about but the fact
is that the browsers do it and it is better for the standards to
describe what the browsers actually do than what people think they
should do.
___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec