#20: Sniffing should be "opt in" on a case-by-case basis
The way the document is written as a normative algorithm makes it hard to
say this, but:
Every implementation should be free to "opt out" of sniffing based on
other information it has (previous experience with the site, information
based on whether a correct MIME type was given vs. misconfigured, etc.)
From the point of view of a web site, there's no additional security or
danger from opting out on a case-by-case basis; it's the same as, on a
case-by-case basis, choosing between two implementations, one of which
always sniffs and the other never sniffs.
--
------------------------+--------------------------------------------
Reporter: masinter@… | Owner: draft-ietf-websec-mime-sniff@…
Type: defect | Status: new
Priority: major | Milestone:
Component: mime-sniff | Version:
Severity: - | Keywords:
------------------------+--------------------------------------------
Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/20>
websec <http://tools.ietf.org/websec/>
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
