W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: The document's address

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 08 Mar 2013 16:42:11 +0100
Message-ID: <513A06D3.6030802@gmx.de>
To: Nicholas Shanks <nickshanks@gmail.com>
CC: IETF HTTP Working Group <ietf-http-wg@w3.org>, alexandre.fournel@gmail.com
On 2013-03-08 16:32, Nicholas Shanks wrote:
> On 18 January 2013 12:23, Roy T. Fielding <fielding@gbiv.com> wrote:
>
>> Which would be a security hole if /collection-uri and /resource-uri
>> are controlled by different owners.  In practice, there is no way
>> for clients to know the scope of resource ownership.
>
> I have always presumed that it must be defined somewhere that resource
> ownership is accumulative and descendant.
> i.e. the owner of the .uk TLD "owns" (can be considered authoritative
> for) all resources under that domain, and that the (different) owner
> of ".gov.uk" additionally owns all resources under *that* domain.
> Isn't that how DNS, BCP, zones and glue all work?
> Therefore a resource such as
> http://homepages.megahostcorp.com/~fred/jane/jogging.html would have
> the following owner set: { Network Solutions, Megahost Corp, Fred
> Smith, Jane Smith } each one authoritative for all resources
> underneath it (rtl for DNS; dot separated, ltr for paths; slash
> separated)
>
> Given this, a client or caching proxy CAN know that responses from
> /~fred are authoritative for /~fred/jane/jogging.html (but not for
> /~fredjones)
> ...

That implies a concept of hierarchical ownership that simply does not 
exist in HTTP. It might for some servers, but there's no guarantee.

Best regards, Julian
Received on Friday, 8 March 2013 15:42:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 8 March 2013 15:42:51 GMT