- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 08 Mar 2013 16:42:11 +0100
- To: Nicholas Shanks <nickshanks@gmail.com>
- CC: IETF HTTP Working Group <ietf-http-wg@w3.org>, alexandre.fournel@gmail.com
On 2013-03-08 16:32, Nicholas Shanks wrote:
> On 18 January 2013 12:23, Roy T. Fielding <fielding@gbiv.com> wrote:
>
>> Which would be a security hole if /collection-uri and /resource-uri
>> are controlled by different owners. In practice, there is no way
>> for clients to know the scope of resource ownership.
>
> I have always presumed that it must be defined somewhere that resource
> ownership is accumulative and descendant.
> i.e. the owner of the .uk TLD "owns" (can be considered authoritative
> for) all resources under that domain, and that the (different) owner
> of ".gov.uk" additionally owns all resources under *that* domain.
> Isn't that how DNS, BCP, zones and glue all work?
> Therefore a resource such as
> http://homepages.megahostcorp.com/~fred/jane/jogging.html would have
> the following owner set: { Network Solutions, Megahost Corp, Fred
> Smith, Jane Smith } each one authoritative for all resources
> underneath it (rtl for DNS; dot separated, ltr for paths; slash
> separated)
>
> Given this, a client or caching proxy CAN know that responses from
> /~fred are authoritative for /~fred/jane/jogging.html (but not for
> /~fredjones)
> ...
That implies a concept of hierarchical ownership that simply does not
exist in HTTP. It might for some servers, but there's no guarantee.
Best regards, Julian
Received on Friday, 8 March 2013 15:42:46 UTC