> - in which way is it more certain that there is no mislabeled PDF than a > mislabeled jpg or mislabeled rtf?
I don't think this is relevant. There is likely mislabeled PDF. But I had specific feedback from implementors of PDF readers that sniffing from other content-type resulted in a worse situation than not sniffing. I don't have any information on jpg or rtf. Sniffing should only be done when it is justified by an improved user experience over not sniffing. I think the obligation of evidence is "opt in": we should only sniff content when there is evidence of mislabeled content for which sniffing actually improves something, and the improvement outweighs other considerations. > - what about scenarios in which there is no content-type (e.g. ftp, > filesystem), should in this case sniffing not be done? I didn't get any feedback on that. I don't know any workflows where valid PDF doesn't carry a file type label somehow (if only the file extension .pdf), so maybe sniffing based on file content itself doesn't matter. ((Maybe this is another issue? I just wonder if the algorithm for "no content-type" is the same, needs to be the same, as the algorithm for "content-type via HTTP".) Larry _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec