On Wed, Feb 11, 2009 at 1:46 PM, Breno de Medeiros <breno@google.com> wrote: > The current proposal for host-meta addresses some use cases that today > simply _cannot_ be addressed without it. I'm not familiar our process for adopting new use cases, but let's think more carefully about one of the listed use cases: On Wed, Feb 11, 2009 at 1:04 PM, Breno de Medeiros <breno@google.com> wrote: > 1. Security critical ones, but for server-to-server discovery uses (not > browser mediated) To serve this use case, we should require that the host-meta file be served with a specific, novel content type. Without this requirement, servers that try to use the host-meta file for security-critical server-to-server discovery will be tricked by attackers who upload fake host-meta files to unknowing servers. > Your proposal restricts the > discovery process in ways that may have unintended consequences in terms of > prohibiting future uses. How does requiring a specific Content-Type prohibit future uses? > This is so that browsers can avoid implementing > same-domain policy checks at the application layer? No, this is to protect servers that let attackers upload previously benign content to now-magical paths. AdamReceived on Wednesday, 11 February 2009 22:02:01 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:38:52 GMT