W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 13:26:48 -0800
Message-ID: <7789133a0902111326q5a25e423mf3fa3b601da632ec@mail.gmail.com>
To: Breno de Medeiros <breno@google.com>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>

On Wed, Feb 11, 2009 at 1:04 PM, Breno de Medeiros <breno@google.com> wrote:
> I have to say that the current known use-cases for site-meta are:
> 1. Security critical ones, but for server-to-server discovery uses (not
> browser mediated)
> 2. Semantic ones, for user consumption, of an informative rather than
> security-critical nature. These use cases may be handled by browsers.

Why not address security metadata for user-agents?  For example, it
would be eminently useful to be able to express X-Content-Type-Options
[1] and X-Frame-Options [2] in a centralized metadata store instead of
wasting bandwidth on every HTTP response (as Google does for
X-Content-Type-Options).  I don't think anyone doubts that we're going
to see a proliferation of this kind of security metadata, e.g., along
the lines of [3].  I don't see the point of making a central metadata
store that ignores these important use cases.


[1] http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
[2] https://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
[3] http://people.mozilla.org/~bsterne/content-security-policy/
Received on Wednesday, 11 February 2009 21:30:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:33:07 UTC