W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

RE: Content security model

From: Manger, James H <James.H.Manger@team.telstra.com>
Date: Thu, 26 Jul 2012 10:04:55 +1000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <255B9BB34FB7D647A506DC292726F6E114F800B6F5@WSMSG3153V.srv.dir.telstra.com>
> > 3) HTTP security controls should only secure content.
> > Signing headers is not only difficult, it is often counterproductive.
> > If a Web service depends on information in a header
> > there is probably something wrong.

What about the URI?
What about the method (GET, POST, DELETE...)?

Only protecting the body only works for RPC-style web services in which every request is a POST to a single API endpoint (eg POST /api/ HTTP/1.1). Even then the body needs to have an "audience" field that is likely to repeat the host (or URI).

HTTP/2 needs to support REST APIs, where the method and URI are crucial parts.

> > From these I draw the following conclusions:
> >
> > * HTTP 2.0 should draw a distinction between routing headers and
> >   content meta-data

+1
Though I suspect there are lots of headers where this distinction is not crystal clear.

> > * HTTP encryption and authentication are necessary independent of TLS
> >   support

--
James Manger
Received on Thursday, 26 July 2012 00:05:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 July 2012 00:05:38 GMT