On Sat, Oct 1, 2011 at 2:47 AM, Adam Barth <[email protected]> wrote: > On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst" > <[email protected]> wrote: >> On 2011/09/29 11:45, Adam Barth wrote: >>> On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst" >>> <[email protected]> wrote: >>>> >>>> On 2011/09/29 8:26, Adam Barth wrote: >>>>> >>>>> As I recall, the nosniff directive is pretty controversial. >>>> >>>> But then, as I recall, the whole business of sniffing is pretty >>>> controversial to start with. Are there differences between the >>>> controversiality of sniffing as such and the controversiality of the >>>> nosniff >>>> directive that explain why one is in the draft and the other is not? >>> >>> The reason why one is in and the other isn't is just historical. >>> nosniff didn't exist at the time the document was originally written. >> >> Your first answer sounded as if the nosniff directive was too controversial >> to be included in any draft, but your second answer seems to suggest that it >> was left out by (historical) accident, and that it might be worth to include >> it. > > The essential question isn't whether we should include it in the > draft. The essential question is whether folks want to implement it. > If no one wants to implement it, putting it in the draft is a > negative. If folks want to implement, then we can deal with the > controversy.
+1 The controversy seems to be of the 'cut off nose to spite face' variety. Sniffing is definitely terrible from a security perspective but people do it. Java and Java Script were terrible as well but people did them and then left the rest of us with a mess that had to be fixed slowly over then next ten years. Sure this is not something we should have to think about but the fact is that the browsers do it and it is better for the standards to describe what the browsers actually do than what people think they should do. -- Website: http://hallambaker.com/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
