Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
* Tobias Gondrom wrote: > >Whether browser will implement it, can't tell. Maybe we can learn more >when we progress further with the mime-sniff draft. Per http://www.browserscope.org/?category=security it's already in IE and "Chrome", should Mozilla decide to support it, it's a "standard". -- Björn Höhrmann · mailto:bjo...@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
Whether browser will implement it, can't tell. Maybe we can learn more when we progress further with the mime-sniff draft. I don't have a strong opinion on the nosniff header. Depending on where the mime-sniff debate will lead us, it might be a way to mitigate concerns that in certain cases you really SHOULD NOT or MUST NOT (RFC2119) sniff. Well and with such a header you could enforce exactly that for your sources, without breaking other unknown things/sites - which is the main reason for many browser vendors to start do sniffing in the first place. (in one way nosniff could even be a migration path to less sniffing) Best regards, Tobias On 01/10/11 15:30, Phillip Hallam-Baker wrote: On Sat, Oct 1, 2011 at 2:47 AM, Adam Barth wrote: On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst" wrote: On 2011/09/29 11:45, Adam Barth wrote: On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst" wrote: On 2011/09/29 8:26, Adam Barth wrote: As I recall, the nosniff directive is pretty controversial. But then, as I recall, the whole business of sniffing is pretty controversial to start with. Are there differences between the controversiality of sniffing as such and the controversiality of the nosniff directive that explain why one is in the draft and the other is not? The reason why one is in and the other isn't is just historical. nosniff didn't exist at the time the document was originally written. Your first answer sounded as if the nosniff directive was too controversial to be included in any draft, but your second answer seems to suggest that it was left out by (historical) accident, and that it might be worth to include it. The essential question isn't whether we should include it in the draft. The essential question is whether folks want to implement it. If no one wants to implement it, putting it in the draft is a negative. If folks want to implement, then we can deal with the controversy. +1 The controversy seems to be of the 'cut off nose to spite face' variety. Sniffing is definitely terrible from a security perspective but people do it. Java and Java Script were terrible as well but people did them and then left the rest of us with a mess that had to be fixed slowly over then next ten years. Sure this is not something we should have to think about but the fact is that the browsers do it and it is better for the standards to describe what the browsers actually do than what people think they should do. ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
On Sat, Oct 1, 2011 at 2:47 AM, Adam Barth wrote: > On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst" > wrote: >> On 2011/09/29 11:45, Adam Barth wrote: >>> On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst" >>> wrote: On 2011/09/29 8:26, Adam Barth wrote: > > As I recall, the nosniff directive is pretty controversial. But then, as I recall, the whole business of sniffing is pretty controversial to start with. Are there differences between the controversiality of sniffing as such and the controversiality of the nosniff directive that explain why one is in the draft and the other is not? >>> >>> The reason why one is in and the other isn't is just historical. >>> nosniff didn't exist at the time the document was originally written. >> >> Your first answer sounded as if the nosniff directive was too controversial >> to be included in any draft, but your second answer seems to suggest that it >> was left out by (historical) accident, and that it might be worth to include >> it. > > The essential question isn't whether we should include it in the > draft. The essential question is whether folks want to implement it. > If no one wants to implement it, putting it in the draft is a > negative. If folks want to implement, then we can deal with the > controversy. +1 The controversy seems to be of the 'cut off nose to spite face' variety. Sniffing is definitely terrible from a security perspective but people do it. Java and Java Script were terrible as well but people did them and then left the rest of us with a mess that had to be fixed slowly over then next ten years. Sure this is not something we should have to think about but the fact is that the browsers do it and it is better for the standards to describe what the browsers actually do than what people think they should do. -- Website: http://hallambaker.com/ ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst" wrote: > On 2011/09/29 11:45, Adam Barth wrote: >> On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst" >> wrote: >>> >>> On 2011/09/29 8:26, Adam Barth wrote: As I recall, the nosniff directive is pretty controversial. >>> >>> But then, as I recall, the whole business of sniffing is pretty >>> controversial to start with. Are there differences between the >>> controversiality of sniffing as such and the controversiality of the >>> nosniff >>> directive that explain why one is in the draft and the other is not? >> >> The reason why one is in and the other isn't is just historical. >> nosniff didn't exist at the time the document was originally written. > > Your first answer sounded as if the nosniff directive was too controversial > to be included in any draft, but your second answer seems to suggest that it > was left out by (historical) accident, and that it might be worth to include > it. The essential question isn't whether we should include it in the draft. The essential question is whether folks want to implement it. If no one wants to implement it, putting it in the draft is a negative. If folks want to implement, then we can deal with the controversy. Adam ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
Hello Adam, On 2011/09/29 11:45, Adam Barth wrote: On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst" wrote: On 2011/09/29 8:26, Adam Barth wrote: As I recall, the nosniff directive is pretty controversial. But then, as I recall, the whole business of sniffing is pretty controversial to start with. Are there differences between the controversiality of sniffing as such and the controversiality of the nosniff directive that explain why one is in the draft and the other is not? The reason why one is in and the other isn't is just historical. nosniff didn't exist at the time the document was originally written. Your first answer sounded as if the nosniff directive was too controversial to be included in any draft, but your second answer seems to suggest that it was left out by (historical) accident, and that it might be worth to include it. Regards,Martin. ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst" wrote: > On 2011/09/29 8:26, Adam Barth wrote: >> >> As I recall, the nosniff directive is pretty controversial. > > But then, as I recall, the whole business of sniffing is pretty > controversial to start with. Are there differences between the > controversiality of sniffing as such and the controversiality of the nosniff > directive that explain why one is in the draft and the other is not? The reason why one is in and the other isn't is just historical. nosniff didn't exist at the time the document was originally written. Adam >> On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom >> wrote: >>> >>> Hello, >>> >>> although this has been around for a while, just stumbled again over this >>> http header when I analysed the bits on the wire of some web >>> applications: >>> >>> X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The >>> header instructs the browser not to override the response content type. >>> For >>> example, some browsers try to be smart by deciding for themselves if the >>> content is really is text/html or an image. So with the nosniff option, >>> if >>> the server says the content is text/html, then the browser needs to >>> render >>> it as text/html. >>> >>> Is this something we should mention in mime-sniff or even consider to >>> encourage? >>> >>> Kind regards, Tobias >>> >>> On 2011-05-08 02:45, internet-dra...@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Security Working Group of the > IETF. > > > Title : Media Type Sniffing > Author(s) : A. Barth, I. Hickson > Filename : draft-ietf-websec-mime-sniff-03.txt > Pages : 24 > Date : 2011-05-07 > ... >>> >>> ___ >>> websec mailing list >>> websec@ietf.org >>> https://www.ietf.org/mailman/listinfo/websec >>> >> ___ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec >> > ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
On 2011/09/29 8:26, Adam Barth wrote: As I recall, the nosniff directive is pretty controversial. But then, as I recall, the whole business of sniffing is pretty controversial to start with. Are there differences between the controversiality of sniffing as such and the controversiality of the nosniff directive that explain why one is in the draft and the other is not? Regards, Martin. Adam On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom wrote: Hello, although this has been around for a while, just stumbled again over this http header when I analysed the bits on the wire of some web applications: X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type. For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image. So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html. Is this something we should mention in mime-sniff or even consider to encourage? Kind regards, Tobias On 2011-05-08 02:45, internet-dra...@ietf.org wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Security Working Group of the IETF. Title : Media Type Sniffing Author(s) : A. Barth, I. Hickson Filename : draft-ietf-websec-mime-sniff-03.txt Pages : 24 Date : 2011-05-07 ... ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
That's treated as text/plain, for what it's worth. Strangely, it's more common to get an empty content type with a nosniff directive than without one (by a few fractions of a percent). Adam On Wed, Sep 28, 2011 at 4:31 PM, Tobias Gondrom wrote: > I can imagine. As there come problems with it, just thinking of empty > content-types and then forbidding to sniff. Just a thought. > > Tobias > > > On 29/09/11 00:26, Adam Barth wrote: >> >> As I recall, the nosniff directive is pretty controversial. >> >> Adam >> >> >> On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom >> wrote: >>> >>> Hello, >>> >>> although this has been around for a while, just stumbled again over this >>> http header when I analysed the bits on the wire of some web >>> applications: >>> >>> X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The >>> header instructs the browser not to override the response content type. >>> For >>> example, some browsers try to be smart by deciding for themselves if the >>> content is really is text/html or an image. So with the nosniff option, >>> if >>> the server says the content is text/html, then the browser needs to >>> render >>> it as text/html. >>> >>> Is this something we should mention in mime-sniff or even consider to >>> encourage? >>> >>> Kind regards, Tobias >>> >>> On 2011-05-08 02:45, internet-dra...@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Security Working Group of the > IETF. > > > Title : Media Type Sniffing > Author(s) : A. Barth, I. Hickson > Filename : draft-ietf-websec-mime-sniff-03.txt > Pages : 24 > Date : 2011-05-07 > ... >>> >>> ___ >>> websec mailing list >>> websec@ietf.org >>> https://www.ietf.org/mailman/listinfo/websec >>> > > ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
I can imagine. As there come problems with it, just thinking of empty content-types and then forbidding to sniff. Just a thought. Tobias On 29/09/11 00:26, Adam Barth wrote: As I recall, the nosniff directive is pretty controversial. Adam On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom wrote: Hello, although this has been around for a while, just stumbled again over this http header when I analysed the bits on the wire of some web applications: X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type. For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image. So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html. Is this something we should mention in mime-sniff or even consider to encourage? Kind regards, Tobias On 2011-05-08 02:45, internet-dra...@ietf.org wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Security Working Group of the IETF. Title : Media Type Sniffing Author(s) : A. Barth, I. Hickson Filename : draft-ietf-websec-mime-sniff-03.txt Pages : 24 Date : 2011-05-07 ... ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
As I recall, the nosniff directive is pretty controversial. Adam On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom wrote: > Hello, > > although this has been around for a while, just stumbled again over this > http header when I analysed the bits on the wire of some web applications: > > X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The > header instructs the browser not to override the response content type. For > example, some browsers try to be smart by deciding for themselves if the > content is really is text/html or an image. So with the nosniff option, if > the server says the content is text/html, then the browser needs to render > it as text/html. > > Is this something we should mention in mime-sniff or even consider to > encourage? > > Kind regards, Tobias > > >> On 2011-05-08 02:45, internet-dra...@ietf.org wrote: >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. >>> This draft is a work item of the Web Security Working Group of the IETF. >>> >>> >>> Title : Media Type Sniffing >>> Author(s) : A. Barth, I. Hickson >>> Filename : draft-ietf-websec-mime-sniff-03.txt >>> Pages : 24 >>> Date : 2011-05-07 >>> ... >> > > ___ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
Hello, although this has been around for a while, just stumbled again over this http header when I analysed the bits on the wire of some web applications: X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type. For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image. So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html. Is this something we should mention in mime-sniff or even consider to encourage? Kind regards, Tobias On 2011-05-08 02:45, internet-dra...@ietf.org wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Security Working Group of the IETF. Title : Media Type Sniffing Author(s) : A. Barth, I. Hickson Filename : draft-ietf-websec-mime-sniff-03.txt Pages : 24 Date : 2011-05-07 ... ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
Julian Reschke wrote: On 2011-05-08 02:45, internet-dra...@ietf.org wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Security Working Group of the IETF. Title : Media Type Sniffing Author(s) : A. Barth, I. Hickson Filename: draft-ietf-websec-mime-sniff-03.txt Pages : 24 Date: 2011-05-07 ... I think it would be good if the Internet Drafts database could be updates to say that draft-ietf-websec-mime-sniff replaces draft-abarth-mime-sniff (this helps with various tools that try to check for upto-date-ness and successor documents). Will do. ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
On 2011-05-08 02:45, internet-dra...@ietf.org wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Security Working Group of the IETF. Title : Media Type Sniffing Author(s) : A. Barth, I. Hickson Filename: draft-ietf-websec-mime-sniff-03.txt Pages : 24 Date: 2011-05-07 ... I think it would be good if the Internet Drafts database could be updates to say that draft-ietf-websec-mime-sniff replaces draft-abarth-mime-sniff (this helps with various tools that try to check for upto-date-ness and successor documents). Best regards, Julian ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
[websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Security Working Group of the IETF. Title : Media Type Sniffing Author(s) : A. Barth, I. Hickson Filename: draft-ietf-websec-mime-sniff-03.txt Pages : 24 Date: 2011-05-07 Many web servers supply incorrect Content-Type header fields with their HTTP responses. In order to be compatible with these servers, user agents consider the content of HTTP responses as well as the Content-Type header fields when determining the effective media type of the response. This document describes an algorithm for determining the effective media type of HTTP responses that balances security and compatibility considerations. Please send feedback on this draft to websec@ietf.org. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-websec-mime-sniff-03.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
