phax
commented
2 months ago For v2.8.2 the charset parameter was removed from the main Content-Type; for the MIME part Content-Type the charset was already present.
Regarding the start parameter for multipart/related according to RFC 2387 chapter 3.2:
The start parameter, if given, is the content-ID of the compound object's "root". If not present the "root" is the first body part in the Multipart/Related entity. The "root" is the element the applications processes first.
As the main body part is ALWAYS the root, the start parameter is not needed.
Regarding the start-info parameter for multipart/related according to RFC 2387 chapter 3.3:
Additional information can be provided to an application by the start-info parameter. It contains either a string or points, via content-ID, to another MIME entity in the message. A typical use might be to provide additional command line parameters or a MIME entity giving auxiliary information for processing the compound object. Applications that use Multipart/Related must specify the interpretation of start-info. User Agents shall provide the parameter's value to the processing application. Processes can distinguish a start-info reference from a token or quoted-string by examining the first non-white-space character, "<" indicates a reference.
As Applications that use Multipart/Related must specify the interpretation of start-info. is not the case for AS4, I decided to not use this parameter either.
The existing
Content-Typeheader with the formis not ideal in regards to OWASP rules:
Content-Typewith lower score:and within first MIME part: