Re: mime-web-info 6.1 feedback from Larry Masinter on 2010-10-26 (www-tag@w3.org from October 2010)

From: Larry Masinter <masinter@adobe.com>
Date: Mon, 25 Oct 2010 23:44:39 -0700
To: "eric@bisonsystems.net" <eric@bisonsystems.net>
CC: "www-tag@w3.org" <www-tag@w3.org>, Adam Barth <ietf@adambarth.com>
Message-ID: <C68CB012D9182D408CED7B884F441D4D0476B4FF27@nambxv01a.corp.adobe.com>

Up against the deadline for submitting new versions, I posted
 http://tools.ietf.org/html/draft-masinter-mime-web-info-01

without carefully addressing your comment on the "applications that use this type" in what had been section 6.1 (in fact, the text in -01 is unfortunately incoherent.)

I was thinking about this, and wonder if the issue is really around the security considerations for sniffing and privilege escalation...

Content that allows hyperlinks to embedded content
   -- which is (or is not) commonly automatically retrieved to display
       E.g., html with embedded IMG tags
Content that contains scripting:
    where script content can access the internet
            -- with or without sandboxing
     where script content can access the "local file system"
Content that is not intended to be scriptable

Buggy software can turn a JPEG into scriptable content which accesses the local file system, but it's "buggy"?
Turning text/plain into malicious content might involve attacks on the UTF8 decoders?
Note that some fonts are scriptable....

Larry
--
http://larry.masinter.net

Received on Tuesday, 26 October 2010 06:45:28 UTC