On Mon, Oct 24, 2011 at 9:48 AM, Larry Masinter <[email protected]> wrote: > I don't understand, Philip. A central case of this document involves taking > documents that look like text/html but are labeled as text/plain and > "sniffing" them to be text/html after all.
Please read the document. This does not occur. > It's claimed that this is necessary, part of most browsers today, regular > practice, etc. That's not factual. > Are you opposed to specifying sniffing from text/plain to text/html? In any > case? As far as I know, everyone is opposed to that. Adam > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Philip Gladstone > Sent: Monday, October 24, 2011 9:24 AM > To: [email protected] > Subject: Re: [websec] #21: sniffing of text/html shouldn't override polyglot > label of application/xhtml+xml > > > > On 10/23/2011 7:52 PM, websec issue tracker wrote: >> >> (One still might want to sniff text/html when the type is labeled >> text/plain, for example, but not for other polyglot cases.) > This would be a disaster. For security reasons, a web server needs to know > when a document will be "executed" rather than "displayed". > Currently, using text/plain will display any document literally. Causing a > document that looks like html to be executed will open lots of web sites to > XSS. > > Philip > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
