Closed aykevl closed 7 years ago
danmarg
commented
7 years ago Good points. I like your suggestion about asking senders to verify the Content-Type. (I guess if we wanted to be more obscure we would add a new content-type for our policies, but that seems not worth the work.)
I don't see a good reason to specify the charset--ISO-8859-1 or UTF8 both seem to work as long as the user-agent understands them.
aykevl
commented
7 years ago I agree, a new media type would make things unnecessarily complex.
You might want to reference RFC7231 section 3.1.1.1 when discussing the Content-Type header, as it describes the syntax of the header. I also think it is more general to just specify additional parameters may be ignored. There could in theory be other parameters (like codec, even though it doesn't make sense for text/plain). In practice, the media type (type/subtype) is limited by a ; char (and possibly whitespace), so anything after the ; can be ignored.
danmarg
commented
7 years ago 0d170c8
Thanks!
aykevl
commented
7 years ago Looks good, thanks!
Currently, the Content-Type MUST be
text/plain. But what about e.g.text/plain; charset=utf-8? Are extra parameters intentionally not allowed? Some webservers may be configured in such a way that anytext/*file will be served with acharset=utf-8(or similar), to prevent issues with charsets. This is normally perfectly legal in HTTP.Also, it may be a good idea to tell mail senders they SHOULD or MUST verify the Content-Type. This might fix some obscure security problems in which a user is able to add crafted HTML to a special URL (.well-known/mta-sts.txt) but not plain text.