Ignore:
Timestamp:
Jun 29, 2010, 10:11:54 AM (9 years ago)
Author:
julian.reschke@…
Message:

Say a bit more about the fact that some clients do sniff, and why this can be very dangerous (see #155)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p3-payload.xml

    r824 r831  
    794794   message containing an entity-body &SHOULD; include a Content-Type header
    795795   field defining the media type of that body, unless that information is
    796    unknown.  If the Content-Type header field is not present, it indicates that
     796   unknown.
     797</t>
     798<t>   
     799   If the Content-Type header field is not present, it indicates that
    797800   the sender does not know the media type of the data; recipients &MAY;
    798801   either assume that it is "application/octet-stream" (<xref target="RFC2046" x:fmt="," x:sec="4.5.1"/>)
    799802   or examine the content to determine its type.
     803</t>
     804<t>
     805   In practice, currently-deployed servers sometimes provide a Content-Type
     806   header which does not correctly convey the intended interpretation of the
     807   content sent, with the result that some clients will examine the response
     808   body's content and override the specified type.
     809</t>
     810<t>
     811   Client that do so risk drawing incorrect conclusions, which may expose
     812   additional security risks (e.g., "privilege escalation"). Implementers are
     813   encouraged to provide a means of disabling such "content sniffing" when it
     814   is used.
    800815</t>
    801816<t>
     
    31463161    </t>
    31473162    <t>
     3163      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/155"/>:
     3164      "Content Sniffing"
     3165    </t>
     3166    <t>
    31483167      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/200"/>:
    31493168      "use of term "word" when talking about header structure"
Note: See TracChangeset for help on using the changeset viewer.