W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 12:31:33 -0800
Message-ID: <7789133a0902111231l5d23f539v221516ef18869c47@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Cc: "www-talk@w3.org" <www-talk@w3.org>, Mark Nottingham <mnot@mnot.net>

On Wed, Feb 11, 2009 at 11:52 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> Your approach is wrong. Host-meta should not be trying to address such
> security concerns.

Ignoring security problems doesn't make them go away.  It just means
you'll have to pay the piper more later.

> Applications making use of it should. There are plenty of
> applications where no one care about security. Obviously, crossdomain.xml
> needs to be secure, since, well, it is all about that.

What's the point of a central metadata repository that can't handle
the most popular use case of metadata?

> An application which strict security requirement should pay attention to the
> experience you are referring to. We certainly agree on that. But that is
> application-specific.

Here's what I recommend:

1) Change the scope of the host-meta to default to the origin of the
URL from which it was retrieved (as computed by the algorithm in
draft-abarth-origin).

2) Let particular applications narrow this scope if they require
additional granularity.

Adam
Received on Wednesday, 11 February 2009 20:34:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT