Yeah, I think using the issue tracker would be very helpful for making progress. Ideally we'd break these issues down into small, manageable topics. For example, rather than having a single issue about scope, we'll probably be better off with separate issues about whether particular things are or are not in scope.
Adam On Sat, Oct 15, 2011 at 4:52 PM, Larry Masinter <[email protected]> wrote: > Could we start using the IETF tracker to keep track of our conversation on > the issues on MIME sniffing? > > The interaction with a "nosniff" header should be one issue. > The other three big issues that come to mind are > > * "scope" (do what situations does this apply) > * "opt-in case-by-case" (whether one either sniffs ALWAYS or sniffs NEVER, > or whether it's more nuanced and based on expectation) > * "normative algorithm vs. invariants for specifications". > > > I'm willing to write up these issues and the sniffing ones from > http://tools.ietf.org/html/draft-masinter-mime-web-info , and I hope we can > capture Pete Resnick's issues as well as Alexey's. > > Larry > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Tobias Gondrom > Sent: Sunday, October 02, 2011 2:44 PM > To: [email protected] > Cc: [email protected] > Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt > Importance: Low > > <hat="individual"> > Whether browser will implement it, can't tell. Maybe we can learn more when > we progress further with the mime-sniff draft. > > I don't have a strong opinion on the nosniff header. > Depending on where the mime-sniff debate will lead us, it might be a way to > mitigate concerns that in certain cases you really SHOULD NOT or MUST NOT > (RFC2119) sniff. Well and with such a header you could enforce exactly that > for your sources, without breaking other unknown things/sites - which is the > main reason for many browser vendors to start do sniffing in the first place. > (in one way nosniff could even be a migration path to less sniffing....) > > Best regards, Tobias > > > > On 01/10/11 15:30, Phillip Hallam-Baker wrote: >> On Sat, Oct 1, 2011 at 2:47 AM, Adam Barth<[email protected]> wrote: >>> On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst" >>> <[email protected]> wrote: >>>> On 2011/09/29 11:45, Adam Barth wrote: >>>>> On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst" >>>>> <[email protected]> wrote: >>>>>> On 2011/09/29 8:26, Adam Barth wrote: >>>>>>> As I recall, the nosniff directive is pretty controversial. >>>>>> But then, as I recall, the whole business of sniffing is pretty >>>>>> controversial to start with. Are there differences between the >>>>>> controversiality of sniffing as such and the controversiality of >>>>>> the nosniff directive that explain why one is in the draft and the >>>>>> other is not? >>>>> The reason why one is in and the other isn't is just historical. >>>>> nosniff didn't exist at the time the document was originally written. >>>> Your first answer sounded as if the nosniff directive was too >>>> controversial to be included in any draft, but your second answer >>>> seems to suggest that it was left out by (historical) accident, and >>>> that it might be worth to include it. >>> The essential question isn't whether we should include it in the >>> draft. The essential question is whether folks want to implement it. >>> If no one wants to implement it, putting it in the draft is a >>> negative. If folks want to implement, then we can deal with the >>> controversy. >> +1 >> >> The controversy seems to be of the 'cut off nose to spite face' >> variety. Sniffing is definitely terrible from a security perspective >> but people do it. Java and Java Script were terrible as well but >> people did them and then left the rest of us with a mess that had to >> be fixed slowly over then next ten years. >> >> Sure this is not something we should have to think about but the fact >> is that the browsers do it and it is better for the standards to >> describe what the browsers actually do than what people think they >> should do. >> >> > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
