[web-devel] XSS vs charset
Kazu Yamamoto (=?iso-2022-jp?B?GyRCOzNLXE9CSScbKEI=?=)
kazu at iij.ad.jp
Wed Apr 2 06:41:00 UTC 2014
> Yesod has more of a focus on dynamic content, and in those cases, we *do*
> already set charset=utf8[1]. Where this would affect Yesod is in
> yesod-static, in which case the same logic I've applied to Mighty would
> apply: users should not be able to affect the content of static files under
> normal circumstances, so the security concern is pretty remote.
When I checked Yesod today, it returned text/html without charset. But
it appeared that it was my mistake. Hhat I saw was a 500
response (from Warp, not from Yesod). Sigh.
OK. Yesod returns charset. Good.
> To be clear, besides the security concerns, there is *definitely* a
> usability advantage in specifying charsets explicitly, in that the browser
> doesn't need to use defaults or guessing[2]. This just comes down to a
> numbers game: is it more likely that a browser will mis-guess the character
> encoding of UTF8 data, or that someone running Mighty will provide non-UTF8
> data?
I'm assuming that static files contains charset information in their
meta header. Creators of static files can do it by themselves without
asking their server operator.
--Kazu
More information about the web-devel
mailing list