httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 23421] - Remove AddDefaultCharset from httpd.conf as shipped
Date Fri, 10 Dec 2004 04:53:41 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=23421>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=23421





------- Additional Comments From duerst@w3.org  2004-12-10 05:53 -------
I'm surprised that this bug is still around. The only justification for that
that I was able to find in the record is the pointer to the Client Side
Scripting (CSS) issue. However, this is based on a shallow understanding
of CSS. In order to avoid CSS, just setting whatever character encoding
is not good enough. A solution requires that the client side gets the
right character encoding. Of course, declaring iso-8859-1 as a default
doesn't work for a huge amount of Web pages. So this default should be
removed as quickly as possible, and the documentation for CSS should be
updated to make more clear that it's not "declare an encoding" but
"declare the right encoding" that is important (also for other reasons
than just security).

I can easily provide more information (e.g. a page that shows how use
of the wrong encoding, such as declaring a page as iso-8859-1 that
isn't iso-8859-1 can lead to attacks) if contacted directly.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message