headers
Ian Hickson | 1 Jun 2009 10:18
Picon

Re: comments on draft-barth-mime-sniffing

On Sun, 31 May 2009, Adam Barth wrote:
> > 
> > I see no justification whatsoever for allowing conforming user agents 
> > to sniff types for new elements such as <video>, or encouraging such 
> > behavior, which is just opening the door for whole other categories of 
> > spoofing.  Certainly this isn't represented by any deployed 
> > infrastructure.
> 
> The current draft doesn't take a position on this issue.  Is there 
> something you'd like changed in the draft pursuant to the above?

The current HTML5 spec's position on this issue is that the Content-Type 
header is completely ignored in the processing of <video>, I believe. 
(Like with <img>, though less explicitly.) There's no sniffing algorithm 
defined or referenced; it is assumed that video formats define how to 
recognise themselves.

I'd be happy to require the browsers to obey Content-Type rigorously here 
if they are willing to implement such requirements. Can any browser 
vendors comment on this issue?

(In practice, many video files seem to be transmitted with completely 
bogus MIME types; indeed video, possibly primarily pornographic video, is 
the primary motivator for the "text vs binary" sniffing algorithm in the 
content sniffing draft, which is invoked when navigating to files, as 
opposed to when using <video>.)

--

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
(Continue reading)

Permalink | Reply |
headers
Robert O'Callahan | 1 Jun 2009 11:39

Re: comments on draft-barth-mime-sniffing

On Mon, Jun 1, 2009 at 8:18 PM, Ian Hickson <ian-Y1JINVRCvcs@public.gmane.org> wrote:

The current HTML5 spec's position on this issue is that the Content-Type
header is completely ignored in the processing of <video>, I believe.

Hmm, really? In our media element implementation, we honor Content-Type completely and do no sniffing whatever.

Rob
--
"He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]
Permalink | Reply |
headers
Ian Hickson | 12 Jun 2009 20:55
Picon

Re: comments on draft-barth-mime-sniffing

On Mon, 1 Jun 2009, Robert O'Callahan wrote:
> On Mon, Jun 1, 2009 at 8:18 PM, Ian Hickson <ian@...> wrote:
> > The current HTML5 spec's position on this issue is that the 
> > Content-Type header is completely ignored in the processing of 
> > <video>, I believe.
> 
> Hmm, really? In our media element implementation, we honor Content-Type 
> completely and do no sniffing whatever.

I've updated HTML5 to require that Content-Types of types that are not 
supported cause the resource to be ignored (even if it would otherwise be 
supported).

--

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Permalink | Reply |
headers
David Singer | 16 Jun 2009 22:45
Picon
Favicon

Re: comments on draft-barth-mime-sniffing

At 18:55  +0000 12/06/09, Ian Hickson wrote:
>On Mon, 1 Jun 2009, Robert O'Callahan wrote:
>>  On Mon, Jun 1, 2009 at 8:18 PM, Ian Hickson <ian@...> wrote:
>>  > The current HTML5 spec's position on this issue is that the
>>  > Content-Type header is completely ignored in the processing of
>>  > <video>, I believe.
>>
>>  Hmm, really? In our media element implementation, we honor Content-Type
>>  completely and do no sniffing whatever.
>
>I've updated HTML5 to require that Content-Types of types that are not
>supported cause the resource to be ignored (even if it would otherwise be
>supported).

We're concerned about this, though we support the hope that we can 
get away from doing content-type sniffing in this area.

1) if you use a multimedia framework that you don't control, and it 
does content-type sniffing, then you get it whether you want it or 
not.  QuickTime does, so Safari does, right now.

2) End-users posting AV content rarely have access to the MIME type 
config. of their server (often, their ISP's server).  Getting the 
MIME type table updated can take ages.

3) Once one browser gets a competitive 'edge' by sniffing, the rest 
usually follow.  It's hard to see why this would not happen in this 
case.

Our data suggests that the amount of AV content on the net, today, 
that is served under 'wrong' MIME types is perhaps 10-15%, which 
doesn't seem ignorable.  One of the 'wrong' types is 
application/octet-stream, which seems to invite sniffing;  and of 
course a lot of the rest is text/plain, which is (I believe) Apache's 
default.

So, we're with the motivation, but not sure we're with the spec. as 
written. Hm.
--

-- 
David Singer
Multimedia Standards, Apple Inc.
Permalink | Reply |
headers
Ian Hickson | 30 Jun 2009 13:17
Picon

Re: comments on draft-barth-mime-sniffing

On Tue, 16 Jun 2009, David Singer wrote:
> > 
> > I've updated HTML5 to require that Content-Types of types that are not 
> > supported cause the resource to be ignored (even if it would otherwise 
> > be supported).
> 
> We're concerned about this, though we support the hope that we can get 
> away from doing content-type sniffing in this area.
> 
> 1) if you use a multimedia framework that you don't control, and it does 
> content-type sniffing, then you get it whether you want it or not.  
> QuickTime does, so Safari does, right now.

There are many requirements in the spec that require that libraries do 
particular things. If the library you use doesn't do the right thing, you 
will either need to fix it or reimplement it. (This is why some browsers, 
for instance, don't use their system HTTP stack -- it's often the case 
that the system's HTTP stack isn't standards-compliant enough.)

> 2) End-users posting AV content rarely have access to the MIME type 
> config. of their server (often, their ISP's server).  Getting the MIME 
> type table updated can take ages.

Indeed.

> 3) Once one browser gets a competitive 'edge' by sniffing, the rest 
> usually follow.  It's hard to see why this would not happen in this 
> case.

Once it does, I guess we'll define how the sniffing must occur.

--

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Permalink | Reply |
headers
Joe D Williams | 17 Jun 2009 02:00
Picon
Favicon

Re: comments on draft-barth-mime-sniffing


> We're concerned about this, though we support the hope that we can 
> get away from doing content-type sniffing in this area.

I hope so too. For <video> and <audio> it seems like a fairly 
specified contract about what can be expected to play in a W3C HTML 5 
browser. Is sniffing always required? For <object> it has seemed like 
 <at> data targets were sniffed, but for a param URL the url was sent to 
the player and the player essentially got to manage getting and 
running the content.

If the allowed by the spec file extensions are listed then that will 
probably be enough to start out with.
Trust the author to test before deployment.

I would not expect to be using any particular media player, but one 
essentially built-in that is tuned to work with this spec. If I want 
_all_ the bells and whistles and the specific or optimized or 
(streaming?) file types and codecs provided by the major competitors 
in media players, then I will 'fallback' to <object> for possible 
access to maybe proprietary file extensions.
What I as an author am looking for in these elements is a sure-fire 
way to get something running. From abstraction I would not expect to 
get the current default win/ie or apple/safari or realplayer or adobe 
whatever optioned media player, for example, or something else that 
the user may have installed and uses for the system default for the 
registered mimes, but instead the 'standard' simple, possibly 
restricted "no brand" player 'built-in' to the HTML 5 browser. This 
will not handle everything, but if it runs and I need more or 
different then maybe I can get user cooperation to bootstrap me into 
what might be more complex or effective interactive multiple media 
environment.

So, me as the author knows the rules and what is supposed to be where 
I say it is so I would expect the host to get that <video> or <audio> 
player going with what I have put out there without a lot of delay and 
questions. On the other hand, if I don't know what is coming in and I 
wanted to try <video> first and I got an unsupported (by <video> or 
<audio>) MIME or file extension, then I would have to fallback to 
<object> to try and handle it by  <at> type and/or  <at> classid selection with 
what might end up to be the actual current user specified default 
player for the browser host platform .

I think the reason for host browser needing to sniff content streams 
in general is not so much needed in this case. Perhaps the file 
extensions for these element's content are more well known and better 
defined than their MIMEs. Since the author should know (I mean if 
tested at home; it should work on the WWW!). So I would say in this 
case it is not possible to recommend actual sniffing by the host 
browser past the file extension. Maybe in these cases of <audio> and 
<video> if the file extension is recognized, treat it if  <at> type was 
+xml and just pass the URL to the handler and let it start to work it 
out?

Thank You and Best Regards,
Joe
Permalink | Reply |
headers
Simon Pieters | 15 Jun 2009 08:23
Picon
Favicon

Re: comments on draft-barth-mime-sniffing

On Fri, 12 Jun 2009 20:55:29 +0200, Ian Hickson <ian@...> wrote:

> I've updated HTML5 to require that Content-Types of types that are not
> supported cause the resource to be ignored (even if it would otherwise be
> supported).

If a UA does not know what is not supported, is it reasonable to consider  
anything that is not video/* or audio/* to be not supported?

--

-- 
Simon Pieters
Opera Software
Permalink | Reply |
headers
Jamie Lokier | 16 Jun 2009 17:25

Re: comments on draft-barth-mime-sniffing

Simon Pieters wrote:
> On Fri, 12 Jun 2009 20:55:29 +0200, Ian Hickson <ian@...> wrote:
> 
> >I've updated HTML5 to require that Content-Types of types that are not
> >supported cause the resource to be ignored (even if it would otherwise be
> >supported).
> 
> If a UA does not know what is not supported, is it reasonable to consider  
> anything that is not video/* or audio/* to be not supported?

For video, content negotiation is probably going to end up being done
in Javascript rather than HTTP, or by User-Agent recognition.

The Content-Type of video/* simply doesn't provide enough information,
in practice to tell if the file can be played or not by a particular
browser / video player.  The file itself must be read, to determine
the codecs used.  Of course the client must understand the file
format, but the tough part is understanding the codec format inside
the file format, which is just a container.

Although there is an RFC specifying MIME sub-types to video/*
describing the codecs, I don't see any way to sensibly fit that into
HTTP's Accept: content-negotiation.

-- Jamie
Permalink | Reply |
headers
Anne van Kesteren | 16 Jun 2009 17:32
Picon
Favicon
Gravatar

Re: comments on draft-barth-mime-sniffing

On Tue, 16 Jun 2009 17:25:43 +0200, Jamie Lokier <jamie@...> wrote:
> Simon Pieters wrote:
>> On Fri, 12 Jun 2009 20:55:29 +0200, Ian Hickson <ian@...> wrote:
>>> I've updated HTML5 to require that Content-Types of types that are not
>>> supported cause the resource to be ignored (even if it would otherwise  
>>> be supported).
>>
>> If a UA does not know what is not supported, is it reasonable to  
>> consider anything that is not video/* or audio/* to be not supported?
>
> For video, content negotiation is probably going to end up being done
> in Javascript rather than HTTP, or by User-Agent recognition.

Still, if the user agent does a request, should it abort the request if the media type of the response is not
video/* or audio/*?

--

-- 
Anne van Kesteren
http://annevankesteren.nl/
Permalink | Reply |
headers
Jamie Lokier | 16 Jun 2009 20:23

Re: comments on draft-barth-mime-sniffing

Anne van Kesteren wrote:
> On Tue, 16 Jun 2009 17:25:43 +0200, Jamie Lokier <jamie@...> wrote:
> > Simon Pieters wrote:
> >> On Fri, 12 Jun 2009 20:55:29 +0200, Ian Hickson <ian@...> wrote:
> >>> I've updated HTML5 to require that Content-Types of types that are not
> >>> supported cause the resource to be ignored (even if it would otherwise  
> >>> be supported).
> >>
> >> If a UA does not know what is not supported, is it reasonable to  
> >> consider anything that is not video/* or audio/* to be not supported?
> >
> > For video, content negotiation is probably going to end up being done
> > in Javascript rather than HTTP, or by User-Agent recognition.
> 
> Still, if the user agent does a request, should it abort the request
> if the media type of the response is not video/* or audio/*?

I'm thinking if the response is an animated GIF, of type image/gif,
why forbid a <video> element from being allowed to play it as a video.

I'm also thinking, why forbid other image/* types from being played as
static videos.  After all, sometimes single-frame video/* files (such
as an MPEG single I-Frame) are sometimes created for this purpose on
real video players.  It would seem odd to allow the display of
single-frame video files, but forbid image/* files from behaving
exactly the same way.

-- Jamie
Permalink | Reply |
headers
Ian Hickson | 30 Jun 2009 13:11
Picon

Re: comments on draft-barth-mime-sniffing

On Mon, 15 Jun 2009, Simon Pieters wrote:
> On Fri, 12 Jun 2009 20:55:29 +0200, Ian Hickson <ian@...> wrote:
> 
> > I've updated HTML5 to require that Content-Types of types that are not 
> > supported cause the resource to be ignored (even if it would otherwise 
> > be supported).
> 
> If a UA does not know what is not supported, is it reasonable to 
> consider anything that is not video/* or audio/* to be not supported?

The way the spec is phrased, yes.

On Tue, 16 Jun 2009, Jamie Lokier wrote:
> 
> For video, content negotiation is probably going to end up being done in 
> Javascript rather than HTTP, or by User-Agent recognition.

HTML5 actually has a built-in way of doing fallback for <video>.

On Tue, 16 Jun 2009, Anne van Kesteren wrote:
> 
> Still, if the user agent does a request, should it abort the request if 
> the media type of the response is not video/* or audio/*?

Assuming the type is one "that the user agent knows it cannot render", 
yes.

On Tue, 16 Jun 2009, Jamie Lokier wrote:
> 
> I'm thinking if the response is an animated GIF, of type image/gif, why 
> forbid a <video> element from being allowed to play it as a video.

I believe the spec allows this.

> I'm also thinking, why forbid other image/* types from being played as 
> static videos.  After all, sometimes single-frame video/* files (such as 
> an MPEG single I-Frame) are sometimes created for this purpose on real 
> video players.  It would seem odd to allow the display of single-frame 
> video files, but forbid image/* files from behaving exactly the same 
> way.

I believe a browser is allowed to do this as currently written.

--

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Permalink | Reply |
headers
Adam Barth | 5 Jun 2009 10:04

Re: comments on draft-barth-mime-sniffing

On Mon, Jun 1, 2009 at 2:39 AM, Robert O'Callahan <robert@...> wrote:
> On Mon, Jun 1, 2009 at 8:18 PM, Ian Hickson <ian@...> wrote:
>>
>> The current HTML5 spec's position on this issue is that the Content-Type
>> header is completely ignored in the processing of <video>, I believe.
>
> Hmm, really? In our media element implementation, we honor Content-Type
> completely and do no sniffing whatever.

I've removed all mention of audio or video formats from the I-D.  I
think it's wise to wait and see how <video> and <audio> get deployed.
If we can follow Content-Types strictly, that would be great.

Adam
Permalink | Reply |
headers
Jamie Lokier | 8 Jun 2009 04:06

Re: comments on draft-barth-mime-sniffing

Adam Barth wrote:
> On Mon, Jun 1, 2009 at 2:39 AM, Robert O'Callahan <robert@...> wrote:
> > On Mon, Jun 1, 2009 at 8:18 PM, Ian Hickson <ian@...> wrote:
> >>
> >> The current HTML5 spec's position on this issue is that the Content-Type
> >> header is completely ignored in the processing of <video>, I believe.
> >
> > Hmm, really? In our media element implementation, we honor Content-Type
> > completely and do no sniffing whatever.
> 
> I've removed all mention of audio or video formats from the I-D.  I
> think it's wise to wait and see how <video> and <audio> get deployed.
> If we can follow Content-Types strictly, that would be great.

Video formats are incredibly diverse, and typically consist of:

    - The container file format, or sometimes no container.

    - The container (if there is one) has 1 or more streams of video
      (and audio).

    - Each video stream may be any common video encoding (codec).

E.g. you can have MPEG video inside an AVI, MPEG video inside an MPEG
container, WMV video inside a WMV container, or WMV inside an AVI
container, etc.  Although it's a hideous mess, there's a certain
amount of orthogonality between the container formats and the video
encodings they can contain.

Am I right that the Content-Type merely says the type of the container
format, and says nothing about the format of encoded video(s) within?

-- Jamie
Permalink | Reply |
headers
Boris Zbarsky | 8 Jun 2009 04:18
Picon
Favicon

Re: comments on draft-barth-mime-sniffing

Jamie Lokier wrote:
> Am I right that the Content-Type merely says the type of the container
> format, and says nothing about the format of encoded video(s) within?

I believe this is correct.  Certainly the MIME type Gecko looks for 
where video is concerned is video/ogg or application/ogg.

I would hope that container formats define how to figure out the types 
of media streams they contain.  If they don't, then that's unfortunate....

-Boris
Permalink | Reply |
headers
Jamie Lokier | 8 Jun 2009 04:57

Re: comments on draft-barth-mime-sniffing

Boris Zbarsky wrote:
> Jamie Lokier wrote:
> >Am I right that the Content-Type merely says the type of the container
> >format, and says nothing about the format of encoded video(s) within?
> 
> I believe this is correct.  Certainly the MIME type Gecko looks for 
> where video is concerned is video/ogg or application/ogg.
> 
> I would hope that container formats define how to figure out the types 
> of media streams they contain.  If they don't, then that's unfortunate....

There's always a way to find out the subtypes, of course, but it can
be quite complicated.

E.g. the unix "file" command does not try, because it's more
complicated than a fixed header in the file.

-- Jamie
Permalink | Reply |
headers
Robert O'Callahan | 8 Jun 2009 04:15

Re: comments on draft-barth-mime-sniffing

On Mon, Jun 8, 2009 at 2:06 PM, Jamie Lokier <jamie-yetKDKU6eevNLxjTenLetw@public.gmane.org> wrote:

Am I right that the Content-Type merely says the type of the container
format, and says nothing about the format of encoded video(s) within?
 
No.

http://tools.ietf.org/html/rfc4281

Rob
--
"He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]
Permalink | Reply |
headers
Jamie Lokier | 8 Jun 2009 04:58

Re: comments on draft-barth-mime-sniffing

Robert O'Callahan wrote:
> 
>    On Mon, Jun 8, 2009 at 2:06 PM, Jamie Lokier <[1]jamie@...>
>    wrote:
> 
>    Am I right that the Content-Type merely says the type of the container
> 
>      format, and says nothing about the format of encoded video(s)
>      within?
> 
>    No.
>    [2]http://tools.ietf.org/html/rfc4281

Thanks!  I hadn't heard of that.

*chuckles* I will be *astonished* if Apache and other web servers
consistently report the correct, full RFC4281 Content-Type for video
files :-)

-- Jamie
Permalink | Reply |
headers
Robert O'Callahan | 8 Jun 2009 05:32

Re: comments on draft-barth-mime-sniffing

On Mon, Jun 8, 2009 at 2:58 PM, Jamie Lokier <jamie-yetKDKU6eevNLxjTenLetw@public.gmane.org> wrote:

*chuckles* I will be *astonished* if Apache and other web servers
consistently report the correct, full RFC4281 Content-Type for video
files :-)
 
As long as they get the container type right, no sniffing will be needed.

Rob
--
"He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]
Permalink | Reply |
headers
Boris Zbarsky | 8 Jun 2009 04:19
Picon
Favicon

Re: comments on draft-barth-mime-sniffing

Robert O'Callahan wrote:
> No.
> 
> http://tools.ietf.org/html/rfc4281

Ah, I stand corrected.  ;)

-Boris
Permalink | Reply |

Gmane