- From: Robin Berjon <robin@berjon.com>
- Date: Sun, 19 Apr 2009 16:24:52 +0200
- To: Thomas Roessler <tlr@w3.org>
- Cc: public-webapps@w3.org
Hi Thomas,
On Apr 16, 2009, at 17:23 , Thomas Roessler wrote:
> 1. How is the information in this access element going to be used at
> installation time or distribution time? I'd like to see some spec
> text that explains this.
My understanding is that this is like the feature element and others:
it is metadata and its enforcement depends on a security policy. When
that security policy intervenes (I would expect at runtime, for every
access) is presumably orthogonal.
> 2. If one of the risks we're interested in is firewall traversal,
> then then proposed domain name wildcard has a somewhat different
> risk profile than just a single domain name: while you can do a DNS
> rebinding attack for a single hostname, that's a well-known issue,
> and hopefully worked around in today's browser engines. With the
> wildcard, though, it becomes relatively easy to do firewall
> traversal: For example, one could simply generate DNS records
> n.n.n.n.example.com that point to the IP address n.n.n.n.
I think that this is also meant to be orthogonal to firewalls, but
maybe I'm missing something?
--
Robin Berjon - http://berjon.com/
Feel like hiring me? Go to http://robineko.com/
Received on Sunday, 19 April 2009 14:25:30 UTC