Could we start using the IETF tracker to keep track of our conversation on the issues on MIME sniffing?
The interaction with a "nosniff" header should be one issue. The other three big issues that come to mind are * "scope" (do what situations does this apply) * "opt-in case-by-case" (whether one either sniffs ALWAYS or sniffs NEVER, or whether it's more nuanced and based on expectation) * "normative algorithm vs. invariants for specifications". I'm willing to write up these issues and the sniffing ones from http://tools.ietf.org/html/draft-masinter-mime-web-info , and I hope we can capture Pete Resnick's issues as well as Alexey's. Larry -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Tobias Gondrom Sent: Sunday, October 02, 2011 2:44 PM To: [email protected] Cc: [email protected] Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt Importance: Low <hat="individual"> Whether browser will implement it, can't tell. Maybe we can learn more when we progress further with the mime-sniff draft. I don't have a strong opinion on the nosniff header. Depending on where the mime-sniff debate will lead us, it might be a way to mitigate concerns that in certain cases you really SHOULD NOT or MUST NOT (RFC2119) sniff. Well and with such a header you could enforce exactly that for your sources, without breaking other unknown things/sites - which is the main reason for many browser vendors to start do sniffing in the first place. (in one way nosniff could even be a migration path to less sniffing....) Best regards, Tobias On 01/10/11 15:30, Phillip Hallam-Baker wrote: > On Sat, Oct 1, 2011 at 2:47 AM, Adam Barth<[email protected]> wrote: >> On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst" >> <[email protected]> wrote: >>> On 2011/09/29 11:45, Adam Barth wrote: >>>> On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst" >>>> <[email protected]> wrote: >>>>> On 2011/09/29 8:26, Adam Barth wrote: >>>>>> As I recall, the nosniff directive is pretty controversial. >>>>> But then, as I recall, the whole business of sniffing is pretty >>>>> controversial to start with. Are there differences between the >>>>> controversiality of sniffing as such and the controversiality of >>>>> the nosniff directive that explain why one is in the draft and the >>>>> other is not? >>>> The reason why one is in and the other isn't is just historical. >>>> nosniff didn't exist at the time the document was originally written. >>> Your first answer sounded as if the nosniff directive was too >>> controversial to be included in any draft, but your second answer >>> seems to suggest that it was left out by (historical) accident, and >>> that it might be worth to include it. >> The essential question isn't whether we should include it in the >> draft. The essential question is whether folks want to implement it. >> If no one wants to implement it, putting it in the draft is a >> negative. If folks want to implement, then we can deal with the >> controversy. > +1 > > The controversy seems to be of the 'cut off nose to spite face' > variety. Sniffing is definitely terrible from a security perspective > but people do it. Java and Java Script were terrible as well but > people did them and then left the rest of us with a mess that had to > be fixed slowly over then next ten years. > > Sure this is not something we should have to think about but the fact > is that the browsers do it and it is better for the standards to > describe what the browsers actually do than what people think they > should do. > > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
