On 30/09/2003 03:44, Jill Ramonsky wrote:
... Plus, you'd have to find a user dumb enough to be running a
sufficiently old browser that it was still prone to this exploit. (I'm
pretty sure modern browsers will have closed that hole by now, but
again, you never know). ...
But the whole motivatio
;s a different kettle
of fish altogether. Maybe we could have another thread for that.
> -Original Message-
> From: Peter Kirk [mailto:[EMAIL PROTECTED]]
> Sent: Monday, September 29, 2003 5:33 PM
> To: Jill Ramonsky
> Cc: [EMAIL PROTECTED]
> Subject: Re: Fun with proof by analogy, w
François --
You might be interested to know that all of your recent mail has the
following header attached to it! Sounds to me like your outgoing server is
tagging mail, and it's getting things wrong.
Rick
> X-Spam-Report: This mail is probably spam. The original message has been
>
Jill Ramonsky wrote:
> First point - if no information is present, assume "us-ascii".
> Sounds extremely sensible to me.
Sounds very misguided to me.
> ASCII is the intersection of Latin-1, UTF-8, and various other
> commonly used encodings.
How does that make it more likely that guessing ASCII
> Agreed. But if they don't parse the HTML they don't know what the
> content of the document is and so they have no business to mess around
> with that content by re-encoding it.
There is no re-encoding! There just might be is all.
There might also be a lot of other things going on, and hence
On 29/09/2003 08:01, Jill Ramonsky wrote:
...
As far as the browser is concerned, meta tags in the document _/must
not/_ override the headers, as this could result in security holes
exploitable by attackers.
The issue is slightly more complicated. The browser /must/ believe the
HTTP headers. H
On 29/09/2003 07:27, Francois Yergeau wrote:
...
It takes large amounts of tricky code to reliably parse real-life HTML. It
is unreasonable to expect servers, which have no business parsing HTML, to
contain this code. ...
Agreed. But if they don't parse the HTML they don't know what the
content
]]
> Sent: Saturday, September 27, 2003 3:48 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Fun with proof by analogy, was Re: Mojibake on
> my Web pages
>
>
> [EMAIL PROTECTED] scripsit:
>
> > First, the browser checks the HTTP header, then t
James Kass wrote:
> In the event of a conflict between the HTTP header and the HTML meta
> tag, of course the browser should believe the HTML meta tag. After
> all, who knows better than the author the encoding used to construct
> the file?
Who knows better the encoding used to *send* the file?
John Cowan wrote:
> It's worse than that. If the HTTP header says "text/xml" or
> "text/html",
> and no charset information is provided, a fully conforming browser
> MUST treat this as if the charset "us-ascii" is specified.
Nit: this is not the case for text/html, which fortunately took excepti
[EMAIL PROTECTED] scripsit:
> First, the browser checks the HTTP header, then the XML declaration
> (which is not relevant to HTML), then the HTML meta tag.
>
> Apparently, upon finding character set information, the operation
> stops, so if information is present in the HTTP header, the meta
> t
On 27/09/2003 02:19, Michael Everson wrote:
At 16:27 -0700 2003-09-26, Peter Kirk wrote:
...
I knew I had missed out the Mac community, largely because I don't
know enough about Mac browsers except that there is at least one
Unicode compatible one available, even if it is from Microsoft.
What?
On 27/09/2003 02:19, Michael Everson wrote:
At 16:27 -0700 2003-09-26, Peter Kirk wrote:
...
I knew I had missed out the Mac community, largely because I don't
know enough about Mac browsers except that there is at least one
Unicode compatible one available, even if it is from Microsoft.
What?
At 16:27 -0700 2003-09-26, Peter Kirk wrote:
On 26/09/2003 14:31, Michael Everson wrote:
At 06:08 -0700 2003-09-26, Peter Kirk wrote:
And probably most users of non-Windows systems are either
reasonably computer literate or are supported by IT departments
which should do the upgrade.
Or have
.
Peter Constable wrote,
> Doug's server may be doing the wrong thing, but that isn't a
> counterargument to the general principle of whether the browser should
> believe what the server says or what the document says about the encoding.
> That was the question to which I and, I think, Jon were
Peter Constable wrote,
> Folks, feel free to spend your time bantering on about whether something
> should or shouldn't do this or that. But while you're at it, if you want
> to know whether the http encoding declaration is supposed to have
> precedence over the encoding declaration inside the
James Kass wrote on 09/26/2003 01:46:43 AM:
> But, this simply isn't the case with Doug Ewell's web pages. Doug's
> pages are properly encoded using the world's standard for text
> encoding and properly tagged. The server isn't performing any
> conversion, it's just adulterating the content of t
Peter Kirk wrote on 09/26/2003 02:21:59 AM:
> >Unlike Jame's cup of wine, this really is a good analogy. Suppose the
> >document is stored on the server in ISO 8859-1 and the browser
requesting
> >the page understands only EBCDIC. The server must convert it -- if it
> >doesn't, it will appear
Michael Everson scripsit:
> At 08:33 -0400 2003-09-26, John Cowan wrote:
>
> >Alas, we are in a cleft stick: almost all users are now using a
> >browser that is not going to be upgraded, short of replacing their
> >operating system.
>
> Which they all surely will, at some stage. I mean, who's rea
On 26/09/2003 14:31, Michael Everson wrote:
At 06:08 -0700 2003-09-26, Peter Kirk wrote:
And probably most users of non-Windows systems are either reasonably
computer literate or are supported by IT departments which should do
the upgrade.
Or have Macs and don't need any help. :-)
Indeed, unl
At 06:08 -0700 2003-09-26, Peter Kirk wrote:
And probably most users of non-Windows systems are either reasonably
computer literate or are supported by IT departments which should do
the upgrade.
Or have Macs and don't need any help. :-)
--
Michael Everson * * Everson Typography * * http://www.
At 08:33 -0400 2003-09-26, John Cowan wrote:
Alas, we are in a cleft stick: almost all users are now using a
browser that is not going to be upgraded, short of replacing their
operating system.
Which they all surely will, at some stage. I mean, who's really still
running a Mac Plus with Mac OS 3.
On 26/09/2003 06:16, John Cowan wrote:
Peter Kirk scripsit:
Almost all users of what? This isn't true of Windows, and for better or
for worse the majority of all browser users use Windows. Windows, at
least 98+, nags you to upgrade to the latest version of IE whether you
want to or not - wh
> >... The rule of http headers over-riding embedded self-desciption is going
> to be necessary until this has come to pass.
> >Even after then it's going to be necessary as there is only one http header
> which states encoding, but there is an unlimited number of mechanisms for
> self-description
Peter Kirk scripsit:
> Almost all users of what? This isn't true of Windows, and for better or
> for worse the majority of all browser users use Windows. Windows, at
> least 98+, nags you to upgrade to the latest version of IE whether you
> want to or not - which is annoying on my old PC which
On 26/09/2003 05:33, John Cowan wrote:
Peter Kirk scripsit:
Since there is plenty of good and free browser software available which
does support UTF-8, perhaps servers should start assuming that browsers
can support it, and that will gently encourage software vendors and
users to upgrade.
Peter Kirk scripsit:
> Since there is plenty of good and free browser software available which
> does support UTF-8, perhaps servers should start assuming that browsers
> can support it, and that will gently encourage software vendors and
> users to upgrade.
Alas, we are in a cleft stick: alm
On 26/09/2003 11:34, [EMAIL PROTECTED] wrote:
Is server software actually obliged to perform such conversions on
request?
No, there is no obligation.
Surely, rather, browsers should be expected to support a
certain minimum set of encodings,
Ah but how minimum is acceptable?
Of cou
> Is server software actually obliged to perform such conversions on
> request?
No, there is no obligation.
Surely, rather, browsers should be expected to support a
> certain minimum set of encodings,
Ah but how minimum is acceptable?
Of course, and I've said this already in this thread, we
> But, the notion that it is acceptable for a server to blithely assume
> that any given user is incompetent is repugnant. I no more want
> my server to generate incorrect protocols for my web pages than
> I want my server to run a spell-checker on the contents.
>
> Fortunately, rather than Doug'
On 26/09/2003 00:14, [EMAIL PROTECTED] wrote:
The last agent handling the document would be the mail carrier.
Does the mail carrier have the right to open the mailing and
replace your document with garbage?
No, however if I receive a letter in the post written in German I'm
going to ask so
.
Peter Constable wrote,
> > No, however if I receive a letter in the post written in German I'm
> > going to ask someone to translate it rather than try to cope with a
> > language (c.f. encoding) I don't understand.
>
> Unlike Jame's cup of wine, this really is a good analogy. Suppose the
>
> > The last agent handling the document would be the mail carrier.
> > Does the mail carrier have the right to open the mailing and
> > replace your document with garbage?
>
> No, however if I receive a letter in the post written in German I'm
> going to ask someone to translate it rather than t
> >>Suppose you made a document and sent it to me via conventional post.
> >>
> >>The last agent handling the document would be the mail carrier.
> >>Does the mail carrier have the right to open the mailing and
> >>replace your document with garbage?
> >>
> >>
> >>
> >>No, however if I receive
On 25/09/2003 10:51, [EMAIL PROTECTED] wrote:
Suppose you made a document and sent it to me via conventional post.
The last agent handling the document would be the mail carrier.
Does the mail carrier have the right to open the mailing and
replace your document with garbage?
No, however if I
35 matches
Mail list logo
