Adam Barth wrote:
2009/6/1 Bil Corry :
Den.Molib wrote on 6/1/2009 4:55 PM:
follow the last one, as it's the one provided nearer the content.
And by the same logic, the header closest to the content could be the one that
was injected by an attacker (via application hole) -- so might choosing
Looping in Dannyb (who may not be on the list, so if necessary, I'll
forward) as I'm in the midst of a conference and can't give this the
attention it deserves.
Chris
On Tue, Jun 2, 2009 at 1:19 PM, Håkon Wium Lie wrote:
> Also sprach Chris DiBona:
>
> > To be clear, there are two situations he
On Tue, Jun 2, 2009 at 12:19 AM, Julian Reschke wrote:
> Adam Barth wrote:
>> In any case, the four major browsers that actually look at the
>> Content-Type header agree and use the last header. The only browser
>> that uses the first header more or less ignores it anyway.
>
> Could you clarify t
On Mon, 18 Aug 2008, Robert O'Callahan wrote:
> On Mon, Aug 18, 2008 at 2:19 PM, Ian Hickson wrote:
> > On Mon, 18 Aug 2008, Robert O'Callahan wrote:
> > >
> > > IE7, FF3 and Opera 9.51 compress whitespace when getting
> > > document.title. \t and \n (at least) are converted to spaces, runs
> >
Adam Barth wrote:
Sure. For the sake of discussion, let's say IE6 and IE7. Basically,
if the Content-Type header contains a value IE knows about, then IE
pretty much ignores the value and engages its sniffing algorithm. So,
for example, if a response has:
Content-Type: text/html
Content-Type:
On Fri, May 29, 2009 at 12:27 PM, Kristof Zelechovski
wrote:
> Inserting a SCRIPT element is not equivalent to a server-side include. It
> is more like linking to an object file. In particular, substitution macros
> (e.g. CONST in BASIC) in one script do not apply other scripts (all scripts
> pr
On Fri, 9 Jan 2009, Boris Zbarsky wrote:
>
> I've recently come across another issue with the origin definition.
>
> Right now, this says:
>
> 1) If url does not use a server-based naming authority, or if parsing
>url failed, or if url is not an absolute URL, then return a new
>globally u
On Tue, Jun 2, 2009 at 2:23 AM, Ian Hickson wrote:
> Adam: I believe that you are editing a draft that also has this algorithm;
> hat parts of HTML5 should I be stripping here? Will this particular
> algorithm belong in your draft or HTML5? (If the former, can you take this
> change also?)
It's u
So exactly what is the process by which this gets resolved? Is there one?
On Sun, May 24, 2009 at 10:17 AM, Bruce D'Arcus wrote:
> On Sat, May 23, 2009 at 5:35 PM, Ian Hickson wrote:
>
> ...
>
>> I agree that BibTeX is suboptimal. But what should we use instead?
>
> As I've suggested:
>
> 1) use
Bruce D'Arcus wrote:
So exactly what is the process by which this gets resolved? Is there one?
Hixie will respond to substantive emails sent to this list at some
point. However there are some hundreds of outstanding emails (see [1])
so the responses can take a while. If you have a pressing de
Adam Barth wrote on 6/2/2009 3:17 AM:
> Now, consider the reverse:
>
> Content-Type: image/gif
> Content-Type: text/html
>
> In this case, IE renders the image correctly, but Firefox and Chrome
> don't show the image. This is less likely to occur on the web because
> it doesn't work in Firefox
On Tue, Jun 2, 2009 at 9:25 AM, Bil Corry wrote:
> It's less likely to occur legitimately, but more likely to occur under a
> header injection scenario.
As I wrote before in this thread, if the attacker can inject headers,
there are far more severe attacks than changing the type of an HTTP
respo
On Mon, Jun 1, 2009 at 12:48 PM, Ian Hickson wrote:
> On Mon, 1 Jun 2009, Simon Pieters wrote:
>> On Mon, 01 Jun 2009 21:09:56 +0200, Ian Hickson wrote:
>>
>> > > Please change "the body element" to "body
>> > > elements".
>> >
>> > Really? Do you have a test case demonstrating this?
>>
>> http:/
On 2 Jun 2009, at 02:58, Chris DiBona wrote:
One participant quoted one of the examples from the LGPL 2.1, which
says "For example, if a patent license would not permit royalty-free
redistribution of the Library by all those who receive copies directly
or indirectly through you, then the only w
Adam Barth wrote on 6/2/2009 11:47 AM:
> On Tue, Jun 2, 2009 at 9:25 AM, Bil Corry wrote:
>> It's less likely to occur legitimately, but more likely to occur under a
>> header injection scenario.
>
> As I wrote before in this thread, if the attacker can inject headers,
> there are far more seve
On Wed, 14 Jan 2009, Cameron McCormack wrote:
>
> I began testing all attributes and operations with DOMString arguments
> from a selection of specs for their behaviour wrt null and undefined:
>
> http://mcc.id.au/2009/01/string-handling/string-handling
>
> Each pair of characters in the colu
I was wrong: CONST values and conditional compilation variables land as
properties of the window, which means they are unavailable to other scripts
only if the defining script is external and deferred.
Still, I do not think this behavior is mandatory for run-time; there may be
symbols that are hand
On Tue, 02 Jun 2009 19:36:25 +0200, Jonas Sicking wrote:
Is this something that's really needed for web compatibility though?
Probably not.
Creating a DOM with multiple s is hard since the parser will
never output such a DOM. Instead you have to manually set up such a
DOM using DOM methods
Bil Corry wrote:
> It's less likely to occur legitimately, but more likely to occur under a
> header injection scenario. For example, here's a page that simulates serving
> an image from an untrusted user[1], with the correct content-type of
> image/x-ms-bmp, then a second (injected) content-ty
Den.Molib wrote on 6/2/2009 4:19 PM:
> Bil Corry wrote:
>> It's less likely to occur legitimately, but more likely to occur under a
>> header injection scenario. For example, here's a page that simulates
>> serving an image from an untrusted user[1], with the correct content-type of
>> image/x
On Tue, Jun 2, 2009 at 7:24 PM, Bil Corry wrote:
> The server should provide a single content-type header that specifies
> text/plain. In the context that there are two content-type headers, then the
> answer will depend on which browser you want to protect; IE, set the first
> header to text/p
Looping in Danny (in transit)
On Wed, Jun 3, 2009 at 1:38 AM, Geoffrey Sneddon
wrote:
>
> On 2 Jun 2009, at 02:58, Chris DiBona wrote:
>
>> One participant quoted one of the examples from the LGPL 2.1, which
>> says "For example, if a patent license would not permit royalty-free
>> redistribution
On Tue, Jun 2, 2009 at 3:50 AM, Chris DiBona wrote:
> Looping in Dannyb (who may not be on the list, so if necessary, I'll
> forward) as I'm in the midst of a conference and can't give this the
> attention it deserves.
>
> Chris
>
> On Tue, Jun 2, 2009 at 1:19 PM, Håkon Wium Lie wrote:
>> Also sp
On Thu, 2 Apr 2009, Bil Corry wrote:
>
> Since the public-webapps list was never able to reconcile[1] HTML5's
> Origin header (now renamed XXX-Origin[2]) with CORS's Origin header[3],
> we're left with two headers with similar implementations and similar
> names. Due to this, it may prudent to
Hello,
Regardless of any decision on whether my recommendation for
document.contentType to be standardized and made settable on a document
created by createDocument() (rather than needing to call the
less-than-intuitive doc.open() fix for HTML), I'd still like to
recommend standardizing on Mo
On Tue, Jun 2, 2009 at 8:20 PM, Chris DiBona wrote:
> Looping in Danny (in transit)
>
> On Wed, Jun 3, 2009 at 1:38 AM, Geoffrey Sneddon
> wrote:
>>
>> On 2 Jun 2009, at 02:58, Chris DiBona wrote:
>>
>>> One participant quoted one of the examples from the LGPL 2.1, which
>>> says "For example, if
On Wed, Jun 3, 2009 at 11:29 AM, Daniel Berlin wrote:
> On Tue, Jun 2, 2009 at 8:20 PM, Chris DiBona wrote:
>> Looping in Danny (in transit)
>>
>> On Wed, Jun 3, 2009 at 1:38 AM, Geoffrey Sneddon
>> wrote:
>>>
>>> On 2 Jun 2009, at 02:58, Chris DiBona wrote:
>>>
One participant quoted one o
On Tue, Jun 2, 2009 at 9:29 PM, Daniel Berlin wrote:
[snip]
>> I would, however, get in trouble for not having paid patent
>> fees for doing so.
> No more or less trouble than you would have gotten in had you gotten
> it from ffmpeg instead of us, which combined with the fact that we do
For the
On Tue, Jun 2, 2009 at 9:38 PM, Silvia Pfeiffer
wrote:
> On Wed, Jun 3, 2009 at 11:29 AM, Daniel Berlin wrote:
>> On Tue, Jun 2, 2009 at 8:20 PM, Chris DiBona wrote:
>>> Looping in Danny (in transit)
>>>
>>> On Wed, Jun 3, 2009 at 1:38 AM, Geoffrey Sneddon
>>> wrote:
On 2 Jun 2009, at
On Tue, Jun 2, 2009 at 9:50 PM, Gregory Maxwell wrote:
> On Tue, Jun 2, 2009 at 9:29 PM, Daniel Berlin wrote:
> [snip]
>>> I would, however, get in trouble for not having paid patent
>>> fees for doing so.
>> No more or less trouble than you would have gotten in had you gotten
>> it from ffmpeg
On Tue, Jun 2, 2009 at 10:18 PM, Daniel Berlin wrote:
> On Tue, Jun 2, 2009 at 9:50 PM, Gregory Maxwell wrote:
>> On Tue, Jun 2, 2009 at 9:29 PM, Daniel Berlin wrote:
>> [snip]
I would, however, get in trouble for not having paid patent
fees for doing so.
>>> No more or less trouble t
On Tue, Jun 2, 2009 at 10:18 PM, Daniel Berlin wrote:
> On Tue, Jun 2, 2009 at 9:50 PM, Gregory Maxwell wrote:
>> On Tue, Jun 2, 2009 at 9:29 PM, Daniel Berlin wrote:
>> [snip]
I would, however, get in trouble for not having paid patent
fees for doing so.
>>> No more or less trouble t
On Wed, 03 Jun 2009 03:24:29 +0200, Brett Zamir wrote:
> Hello,
>
> Regardless of any decision on whether my recommendation for
> document.contentType to be standardized and made settable on a document
> created by createDocument() (rather than needing to call the
> less-than-intuitive doc.
On Tue, Jun 2, 2009 at 11:51 PM, Gregory Maxwell wrote:
> On Tue, Jun 2, 2009 at 10:18 PM, Daniel Berlin wrote:
>> On Tue, Jun 2, 2009 at 9:50 PM, Gregory Maxwell wrote:
>>> On Tue, Jun 2, 2009 at 9:29 PM, Daniel Berlin wrote:
>>> [snip]
> I would, however, get in trouble for not having pa
On Sat, 4 Apr 2009, Innovimax SARL wrote:
>
> In 2.3 Case-sensitivity and string comparison
>
> Please replace
>
> "Converting a string to uppercase"
> and
> "Converting a string to lowercase"
>
> by respectively
>
> "Converting a string to uppercase ASCII"
> and
> "Converting a string to lowe
On Fri, 3 Apr 2009, Ojan Vafai wrote:
>
> I'm suggesting an addition to cross-domain (i)frames that allows
> scrolling specific content into view. The use case is sites that
> aggregate data from many sites (e.g. search engines) and want to display
> that data in an iframe. They can load the pag
On Wed, Jun 3, 2009 at 3:28 PM, Daniel Berlin wrote:
> On Tue, Jun 2, 2009 at 11:51 PM, Gregory Maxwell wrote:
>> On Tue, Jun 2, 2009 at 10:18 PM, Daniel Berlin wrote:
>>> On Tue, Jun 2, 2009 at 9:50 PM, Gregory Maxwell wrote:
On Tue, Jun 2, 2009 at 9:29 PM, Daniel Berlin wrote:
[sni
Thanks, Ian !
On Wed, Jun 3, 2009 at 8:45 AM, Ian Hickson wrote:
> On Sat, 4 Apr 2009, Innovimax SARL wrote:
> >
> > In 2.3 Case-sensitivity and string comparison
> >
> > Please replace
> >
> > "Converting a string to uppercase"
> > and
> > "Converting a string to lowercase"
> >
> > by respectiv
38 matches
Mail list logo
