Hi Julian,
At 07:12 29-10-2013, Julian Reschke wrote:
I consider that sentence to be useless - if I can't detect the type,
what else but "treating as arbitrary data" is left as an option anyway?
I'll comment below.
I still don't get what the issue is :-)
My preference is not to generate material which create more work for
you. It's better not to pursue this one. :-)
The subsequent text is:
"In practice, resource owners do not always properly configure their
origin server to provide the correct Content-Type for a given
representation, with the result that some clients will examine a
payload's content and override the specified type. Clients that do
so risk drawing incorrect conclusions, which might expose additional
security risks (e.g., "privilege escalation"). Furthermore, it is
impossible to determine the sender's intent by examining the data
format: many data formats match multiple media types that differ
only in processing semantics. Implementers are encouraged to provide
a means of disabling such "content sniffing" when it is used."
Do you think this is insufficient, or that it needs to move to a
different part of the spec?
The subsequent text is, to put it simply, about an operational issue
and security considerations. The recommendation in Section 3.1.1.5
is to generate a Content-Type header field if the server knows the
media type. There are cases when the server does not know the media
type. In such cases the server sends the client
"application/octet-stream". There is where the user has to determine
whether the server is operated by good person or a bad person (re.
arbitrary data). The user relies on the browser to perform some
magic to determine that. That magic does not always work well.
If it was my decision (and it is not) I would discuss about this
under Security Considerations and mention that content sniffing can
cause security problems. Please note that there are different
alternatives to tackle the issue.
Regards,
S. Moonesamy