I should have added another option, 3b, drop the Content-Type restriction but allow file extensions.
Sounds like that would be a win on IIS. On Thu, Nov 12, 2015 at 05:05:53PM -0800, Martin Thomson wrote: > On 12 November 2015 at 16:44, Peter Eckersley <[email protected]> wrote: > > But is 3 the best answer? > > Of those presented, I think so. I know that this isn't a great answer > (it's bad already, so bad must be OK), but being able to drop things > into .well-known opens a raft of other interesting attacks. > > More seriously, I think that the other options all have deployment > complications that far outweigh the marginal benefit that extra > checking might provide. > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > -- Peter Eckersley [email protected] Chief Computer Scientist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993 _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
