Re: [websec] scope of mimesniff: roles vs. contexts vs. delivery channels

Wed, 11 Jan 2012 20:11:58 -0800 

<hat="individual">
Personally I believe we should include in the scope the possibility of other sniffing contexts (web servers, uploads, filesystem, ....) and actually would feel that this should not add a significant burden on the document. 


However, if it does add a significant burden/delay on the document I 
would agree with Bjoern, that rather have a web browser document now 
than getting stuck discussing the other scenarios.

So give it a shot, but if you see too much controversy, reduce the scope.

(Thinking about human behaviour: In the end I believe even if we go only 
with web browser context, if other channels sniff, they will most 
certainly copy the web browser behaviour anyway - no matter what we say 
in the RFC.)


Best regards, Tobias





On 12/01/12 02:36, Larry Masinter wrote:

Going back to the "scope" question, should the mimesniff document cover 
sniffing in contexts other than browsers, e.g., by web servers during file upload, by 
proxies or firewalls or gateways, by spiders or search engines, etc.?

Within the browser context, does it cover sniffing in special applications like 
font, video, style sheet, script contexts, where more is known about the type 
that is wanted?

The dimension of 'roles' is somewhat orthogonal to the dimension we were 
talking about previously (whether the specification should cover sniffing of 
content delivered by means other than HTTP.

It seemed that the sentiment previously was to cover a broad scope of delivery 
channels: sniffing should cover the broad scope of sniffing of content 
delivered by FTP or through (mounted) file system access, etc., and that the 
intent was also to cover a broad scope of contexts (including font, video, 
style sheet, etc.).

But what about the other roles? I think we could address them at least to some 
degree, if only to lay out what the constraints are, or what, say, a firewall 
should do (scanning content in a firewall should likely scan the data as it 
might appear in the likely formats that any recipient might interpret the data, 
for example.)

Larry
--
http://larry.masinter.net






_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec


_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec






















					Reply via email to