Re: Plain text files in internet explorer

[Benjamin Elijah Griffin <bgriffin () gracenote com>]

Dan Kaminsky <dan () doxpara com> wrote:
> I'm serious; we have an extension <-> filetype LUT in the web server, 
> the one component that cares least about the content, and it's breaking 
> at precisely this point.  Extensions are file types.  Period.

If only it were that easy.

> Photoshop makes a JPEG.  It's a JPEG.
> Imagemagick makes a JPEG.  It's a JPEG.
> Some crazy hacker with a hex editor makes a JPEG.  It's a JPEG.

Sure, fine. By my SpiffyOS has a great way to store the filetype
outside the filename. So, I use the filename to store special
attributes to the file, such as 

        bullet.red
        bullet.blue
        logo.large
        logo.med
        logo.small

At some point I'm going to accidentally come up with an "extension"
that maps differently on different systems.

> The implementation does not define the format.  Exposing CGI/PHP/ASP is 
> marketing, nothing more.

It is a convience thing. Say one person controls the server configuration
and another the content. Since the server will need to do processing on
.asp, .php, .cgi those names are used to flag that. I prefer not to do
that myself, but I wouldn't forbid it.

> http://www.foobar.com/movie.mpg is a direct handle to an mpeg movie.
> http://www.foobar.com/foobar.exe is a direct handle to an executable.

http://www.example.com/search.shtml?name=fun&type=*.mpg

What type is that?

http://www.example.com/cgi-bin/clear.gif?webbug=IDNUMBERHERE

What type is that?

http://xml.example.com/xmlfeed/

What type is that?

> Suppose for a moment we keep the URLs the same, but swap file content 
> and MIME header (i.e. you go to download the movie and instead run the 
> code in foobar.exe).  Sure, this is an obvious breach of security, but 
> it's something *more* than that.  It's a spoofing attack.  The user has 
> as much a legitimate right to consider themselves downloading a batch of 
> video data as they do to believe the content is coming from foobar.com.

So if a user loads 

http://www.example.com/images/background.jpg

and gets HTML (with javascript in it) then that is a spoofing attack?
Even if the server states the content is text/html? What if the HTML
comes with a file not found message (but a 200 code)?

> There's few engineers who will praise the simultaneous genius of URLs, 
> HTTP, and HTML as highly as myself.  That they all spawned 
> simultaneously is a feat of synergistic engineering unparalleled in 
> recent memory.  But MIME-types are a failure, and a stubborn refusal to 
> admit such benefits nobody.

I cannot agree with you.

>     Dan Kaminsky
>     DoxPara Research
>     http://www.doxpara.com

I notice your front page has a link to a url:

http://www.doxpara.com/index_old.php

Which the server declares to be "Content-Type: text/html".

Benjamin