On Mon, Sep 02, 2002 at 12:14:43PM -0700, Ian Clarke wrote: > Does this mean that the "view page source" link that comes up when the > anonymity doesn't work in IE? No, it means that the anonymity filter will pass through any "safe" content types, and then IE will render the HTML anyway, being too clever by half for its own good (this has caused a zillion security problems for outlook in the past). It does not get filtered AT ALL, because it's a safe MIME type. > > Perhaps a better approach is to treat the detection of *any* html in a > text/plain document as a potential threat and warn the user (being We would have to filter ALL documents of supposedly safe types. > careful to modify the "View page source" link since it would likely be > ineffective). > > Ian. > > On Mon, Sep 02, 2002 at 08:06:44PM +0100, Matthew Toseland wrote: > > If you insert a page of HTML as text/plain, it will not be filtered, > > being a 'safe' content-type. However, M$IE (tested a fairly recent > > version - somewhere between 5 and 6 inclusive), will recognize the HTML, > > and render it. So... we need to have loud warnings not to use IE, all > > over the place, in the README, but especially, we need fproxy to scan > > for IE's header signature, and if detected bring up a clickthrough page > > (like for new build versions, make it a bit more stubborn - force users > > to copy a URL into the address bar by hand would do it), explaining all > > this if it detects M$IE using it. Alternatively, we could filter out bad > > HTML/CSS regardless of the supposed MIME type. > > -- > Ian Clarke ian at freenetproject.org > Founder & Coordinator, The Freenet Project http://freenetproject.org/ > Chief Technology Officer, Uprizer Inc. http://www.uprizer.com/ > Personal Homepage http://locut.us/
-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20020902/76fc9798/attachment.pgp>
