On Wed, Feb 11, 2009 at 11:52 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > Your approach is wrong. Host-meta should not be trying to address such > security concerns. Ignoring security problems doesn't make them go away. It just means you'll have to pay the piper more later. > Applications making use of it should. There are plenty of > applications where no one care about security. Obviously, crossdomain.xml > needs to be secure, since, well, it is all about that. What's the point of a central metadata repository that can't handle the most popular use case of metadata? > An application which strict security requirement should pay attention to the > experience you are referring to. We certainly agree on that. But that is > application-specific. Here's what I recommend: 1) Change the scope of the host-meta to default to the origin of the URL from which it was retrieved (as computed by the algorithm in draft-abarth-origin). 2) Let particular applications narrow this scope if they require additional granularity. AdamReceived on Wednesday, 11 February 2009 20:34:54 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:38:52 GMT