W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

RE: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Wed, 11 Feb 2009 00:51:13 -0700
To: Adam Barth <w3c@adambarth.com>
CC: "www-talk@w3.org" <www-talk@w3.org>, Mark Nottingham <mnot@mnot.net>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234127C939CC0@P3PW5EX1MB01.EX1.SECURESERVER.NET>

Thanks Adam.

> -----Original Message-----
> From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org]
> On Behalf Of Adam Barth
> Sent: Tuesday, February 10, 2009 8:58 AM
>
> Wow, this draft is scary.

No the emotion I was looking for but at least it moved you... :-)

> In particular, you should require that
> the host-meta file should be served with a specific mime type (ignore
> the response if the mime type is wrong.  This protects servers that
> let users upload content from having attackers upload a bogus
> host-meta file.

I am not sure the value added in security (which I find hard to buy) is worth excluding many hosting solutions where people not always have access to setting content-type headers. After all, focusing on an HTTP GET based solution was based on getting the most accessible approach.

> Also, if you want this feature to be useful for Web browsers, you
> should align the scope of the host-meta file with the notion or origin
> (not authority).

The scope is host/port/protocol. The protocol is not said explicitly but is very much implied. I'll leave it up to Mark to address wordings. As for the term 'origin', I rather do anything but get involved with another term at this point.

EHL
Received on Wednesday, 11 February 2009 07:52:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT