W3C home > Mailing lists > Public > www-tag@w3.org > March 2013

Re: Revisiting Authoritative Metadata (was: The failure of Appendix C as a transition technique)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 01 Mar 2013 03:04:51 +0100
To: Robin Berjon <robin@w3.org>
Cc: "www-tag@w3.org List" <www-tag@w3.org>
Message-ID: <f0svi8ptv8jj87r21pjencgu87nd8s2t3c@hive.bjoern.hoehrmann.de>
* Robin Berjon wrote:
>I would support the TAG revisiting the topic of Authoritative Metadata, 
>but with a view on pointing out that it is an architectural antipattern. 
>Information that is essential and authoritative about the processing of 
>a payload should be part of the payload and not external to it. Anything 
>else is brittle and leads to breakage.

That may be desired. Content Security Policies for instance are meant to
"break" some code injection attacks against generated payloads. They are
essential and authoritative, and putting them into payloads would defeat
their purpose to a considerable extent as it's much easier to manipulate
payloads than it is to manipulate their encapsulation. `Content-Type` as
it is handled these days serves a similar purpose, you can use it to en-
sure that certain payloads don't constitute an attack vector against the
sites you are running. The header makes stuff break. As it is meant to.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 1 March 2013 02:05:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 March 2013 02:05:22 GMT