W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 12:31:33 -0800
Message-ID: <7789133a0902111231l5d23f539v221516ef18869c47@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Cc: "www-talk@w3.org" <www-talk@w3.org>, Mark Nottingham <mnot@mnot.net>

On Wed, Feb 11, 2009 at 11:52 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> Your approach is wrong. Host-meta should not be trying to address such
> security concerns.

Ignoring security problems doesn't make them go away.  It just means
you'll have to pay the piper more later.

> Applications making use of it should. There are plenty of
> applications where no one care about security. Obviously, crossdomain.xml
> needs to be secure, since, well, it is all about that.

What's the point of a central metadata repository that can't handle
the most popular use case of metadata?

> An application which strict security requirement should pay attention to the
> experience you are referring to. We certainly agree on that. But that is
> application-specific.

Here's what I recommend:

1) Change the scope of the host-meta to default to the origin of the
URL from which it was retrieved (as computed by the algorithm in

2) Let particular applications narrow this scope if they require
additional granularity.

Received on Wednesday, 11 February 2009 20:34:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:33:07 UTC