Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

On Wed, Feb 11, 2009 at 11:55 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> There is nothing incorrect about: GET mailto:joe@example.com HTTP/1.1

I don't know how to get a Web browser to generate such a request, so I
am unable to assess its security implications.

> It might look funny to most people but it is perfectly valid. The protocol
> is HTTP, the scheme is mailto. HTTP can talk about any URI, not just http
> URIs. Since this is about *how* /host-meta is obtained, it should talk about
> protocol, not scheme.

Here's my understanding of how this should work (ignoring redirects
for the moment).  Please correct me if my understanding is incorrect
or incomplete:

1) The user agent retrieves the host-meta file by requesting a certain
URL from the network layer.

2) The network layer does some magic involving protocols and
electrical signals on wires and returns a sequence of bytes.

3) The user agent now must compute a scope for the retrieved host-meta file.

I recommend that the scope for the host-meta file be determined from
the URL irrespective of whatever magic goes on in step 2. because this
is the way all other security scopes are computed in Web browsers.
For example, if I view an HTML document location at
http://example.com/index.html, its security origin is (http,
example.com, 80) regardless of whether the HTML document was actually
retrieved by carrier pigeon or SMTP.

(To handle redirects, by the way, you have to use the last URL in the
redirect chain.)

Adam

Received on Wednesday, 11 February 2009 20:38:51 UTC