On Sat, Jun 23, 2018, at 06:24, Tedd Sterr wrote: > 3) Advance XEP-0363: HTTP File Upload > Kev: [on-list] (without the agenda in advance, failed to look at this > again) > Sam: [on-list] (still nervous about the http headers stuff being too > restrictive) > Daniel: +1 > Dave: [pending] > Georg: [pending]
A few notes on the security section: - I wonder if it's worth either specifying that content-type sniffing by the client is not allowed, or that the X-Content-Type-Options header [1] is allowed on the server and should be respected by the client (the default on the web is to do sniffing unless it's turned off, but this is probably a good place where we can fix one of their mistakes and not allow sniffing by the server or client). Alternatively we can require that servers always send Content-Type, which seems reasonable. - Maybe explicitly say what to do with executable content types - We may want an overview of other common security headers that servers should set on files they server in case of use by web clients (eg. a Content-Security-Policy or Strict-Transport-Security). The specifics are probably out of scope, so this might just be mentioning that the file server may want to do other things not mentioned in this XEP and provide a link to the OWASP recommendations or MDN or somewhere. Otherwise I'm still unsure about limiting what headers can be set and still think we need a generic way to do this. Lots of services include non-standard auth headers, for example. That being said, I won't block for this and the security stuff can probably be tweaked later if it's actually necessary (except maybe the first one, but I leave that up to the author). +1 —Sam [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
