Closed aykevl closed 7 years ago
Good points. I like your suggestion about asking senders to verify the Content-Type. (I guess if we wanted to be more obscure we would add a new content-type for our policies, but that seems not worth the work.)
I don't see a good reason to specify the charset--ISO-8859-1 or UTF8 both seem to work as long as the user-agent understands them.
I agree, a new media type would make things unnecessarily complex.
You might want to reference RFC7231 section 3.1.1.1 when discussing the Content-Type header, as it describes the syntax of the header. I also think it is more general to just specify additional parameters may be ignored. There could in theory be other parameters (like codec
, even though it doesn't make sense for text/plain). In practice, the media type (type/subtype
) is limited by a ;
char (and possibly whitespace), so anything after the ;
can be ignored.
0d170c8
Thanks!
Looks good, thanks!
Currently, the Content-Type MUST be
text/plain
. But what about e.g.text/plain; charset=utf-8
? Are extra parameters intentionally not allowed? Some webservers may be configured in such a way that anytext/*
file will be served with acharset=utf-8
(or similar), to prevent issues with charsets. This is normally perfectly legal in HTTP.Also, it may be a good idea to tell mail senders they SHOULD or MUST verify the Content-Type. This might fix some obscure security problems in which a user is able to add crafted HTML to a special URL (.well-known/mta-sts.txt) but not plain text.