ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: content inspection in absence of media type, was: [apps-discuss] APPSDIR review of draft-ietf-httpbis-p2-semantics-24

2013-10-30 22:32:43
from [Mark Nottingham] [Permanent Link] 
SM,

Consensus around this text was particularly hard-won; unless there is a very 
good reason to make a change, I'd rather not risk falling into that rat-hole 
again.

Regards,


On 31/10/2013, at 2:49 AM, S Moonesamy <sm+ietf(_at_)elandsys(_dot_)com> wrote:


Hi Julian,
At 07:12 29-10-2013, Julian Reschke wrote:

I consider that sentence to be useless - if I can't detect the type, what 
else but "treating as arbitrary data" is left as an option anyway?


I'll comment below.


I still don't get what the issue is :-)


My preference is not to generate material which create more work for you.  
It's better not to pursue this one. :-)


The subsequent text is:

"In practice, resource owners do not always properly configure their origin 
server to provide the correct Content-Type for a given representation, with 
the result that some clients will examine a payload's content and override 
the specified type. Clients that do so risk drawing incorrect conclusions, 
which might expose additional security risks (e.g., "privilege escalation"). 
Furthermore, it is impossible to determine the sender's intent by examining 
the data format: many data formats match multiple media types that differ 
only in processing semantics. Implementers are encouraged to provide a means 
of disabling such "content sniffing" when it is used."

Do you think this is insufficient, or that it needs to move to a different 
part of the spec?


The subsequent text is, to put it simply, about an operational issue and 
security considerations.  The recommendation in Section 3.1.1.5 is to 
generate a Content-Type header field if the server knows the media type.  
There are cases when the server does not know the media type.  In such cases 
the server sends the client "application/octet-stream".  There is where the 
user has to determine whether the server is operated by good person or a bad 
person (re. arbitrary data).  The user relies on the browser to perform some 
magic to determine that.  That magic does not always work well.

If it was my decision (and it is not) I would discuss about this under 
Security Considerations and mention that content sniffing can cause security 
problems.  Please note that there are different alternatives to tackle the 
issue.

Regards,
S. Moonesamy 



--
Mark Nottingham   http://www.mnot.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Review of: Characterization of Proposed Standards, Abdussalam Baryun
Next by Date:  Re: [apps-discuss] content inspection in absence of media type, was: APPSDIR review of draft-ietf-httpbis-p2-semantics-24, "Martin J. Dürst"
Previous by Thread:  Re: content inspection in absence of media type, was: [apps-discuss] APPSDIR review of draft-ietf-httpbis-p2-semantics-24, S Moonesamy
Next by Thread:  Re: content inspection in absence of media type, was: [apps-discuss] APPSDIR review of draft-ietf-httpbis-p2-semantics-24, S Moonesamy
Indexes:  [Date] [Thread] [Top] [All Lists]