Thank you Adam and Larry.
Excellent. Yes, please we shall continue the discussion on mime-sniffing
and the chairs strongly encourage to use the tracker for this draft, as
it will enable us to focus the discussion and get better progress.
Thank you and very much looking forward to discussing and getting ahead
with this draft
Tobias
(websec chair)
On 17/10/11 20:36, Peter Saint-Andre wrote:
+1 to using the tracker so we can narrow the scope of disagreement and
achieve closure.
On 10/15/11 5:54 PM, Adam Barth wrote:
Yeah, I think using the issue tracker would be very helpful for making
progress. Ideally we'd break these issues down into small, manageable
topics. For example, rather than having a single issue about scope,
we'll probably be better off with separate issues about whether
particular things are or are not in scope.
Adam
On Sat, Oct 15, 2011 at 4:52 PM, Larry Masinter<[email protected]> wrote:
Could we start using the IETF tracker to keep track of our conversation on the
issues on MIME sniffing?
The interaction with a "nosniff" header should be one issue.
The other three big issues that come to mind are
* "scope" (do what situations does this apply)
* "opt-in case-by-case" (whether one either sniffs ALWAYS or sniffs NEVER, or
whether it's more nuanced and based on expectation)
* "normative algorithm vs. invariants for specifications".
I'm willing to write up these issues and the sniffing ones from
http://tools.ietf.org/html/draft-masinter-mime-web-info , and I hope we can
capture Pete Resnick's issues as well as Alexey's.
Larry
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Tobias Gondrom
Sent: Sunday, October 02, 2011 2:44 PM
To: [email protected]
Cc: [email protected]
Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
Importance: Low
<hat="individual">
Whether browser will implement it, can't tell. Maybe we can learn more when we
progress further with the mime-sniff draft.
I don't have a strong opinion on the nosniff header.
Depending on where the mime-sniff debate will lead us, it might be a way to
mitigate concerns that in certain cases you really SHOULD NOT or MUST NOT
(RFC2119) sniff. Well and with such a header you could enforce exactly that for
your sources, without breaking other unknown things/sites - which is the main
reason for many browser vendors to start do sniffing in the first place.
(in one way nosniff could even be a migration path to less sniffing....)
Best regards, Tobias
On 01/10/11 15:30, Phillip Hallam-Baker wrote:
On Sat, Oct 1, 2011 at 2:47 AM, Adam Barth<[email protected]> wrote:
On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst"
<[email protected]> wrote:
On 2011/09/29 11:45, Adam Barth wrote:
On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst"
<[email protected]> wrote:
On 2011/09/29 8:26, Adam Barth wrote:
As I recall, the nosniff directive is pretty controversial.
But then, as I recall, the whole business of sniffing is pretty
controversial to start with. Are there differences between the
controversiality of sniffing as such and the controversiality of
the nosniff directive that explain why one is in the draft and the
other is not?
The reason why one is in and the other isn't is just historical.
nosniff didn't exist at the time the document was originally written.
Your first answer sounded as if the nosniff directive was too
controversial to be included in any draft, but your second answer
seems to suggest that it was left out by (historical) accident, and
that it might be worth to include it.
The essential question isn't whether we should include it in the
draft. The essential question is whether folks want to implement it.
If no one wants to implement it, putting it in the draft is a
negative. If folks want to implement, then we can deal with the
controversy.
+1
The controversy seems to be of the 'cut off nose to spite face'
variety. Sniffing is definitely terrible from a security perspective
but people do it. Java and Java Script were terrible as well but
people did them and then left the rest of us with a mess that had to
be fixed slowly over then next ten years.
Sure this is not something we should have to think about but the fact
is that the browsers do it and it is better for the standards to
describe what the browsers actually do than what people think they
should do.
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
