Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")

[Kee Hinckley <nazgul () somewhere com>]

At 8:35 PM +0200 7/25/03, Denis Jedig wrote:
> Internet Explorer seems to take no offense on Content-Types either - 
> text/plain from a web server is happily rendered as HTML, if it 
> contains valid tags.

It has long been a standard assertion that programs should produce 
standard-complaint protocols, but be lenient in accepting data 
contrary to the standard.  Microsoft has taken this one step further. 
In addition to attempting (not unreasonably) to try and guess what 
the user is trying to do, they've written code that tries to guess 
what a remote client or server is trying to do.  I think a history of 
Microsoft security holes clearly shows that this is *not* an 
appropriate programming practice.  The acceptance of incorrect data 
makes security scanning by intermediate parties extremely difficult. 
Attempting to "correct" for incorrect remote behavior benefits 
nobody.  It encourages programs and people to generate incorrect 
code, and it opens up security holes when by the standard there ought 
to be none.  We've seen this time after time in things like HTML code 
embedded in JPEG comments, decimal IP addresses using intentional 
overflows, and a plethora of other cases.  Policies that make sense 
in dealing with end user actions can be deadly when used with remote 
standards and protocols.

(Of course this policy also has the side effect of making it 
extremely difficult for smaller players to compete with the dominant 
one, since they have to be bug-for-bug compatible.)
--
Kee Hinckley
http://www.messagefire.com/          Anti-Spam Service for your POP Account
http://commons.somewhere.com/buzz/   Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.