W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 14:01:20 -0800
Message-ID: <7789133a0902111401x1ca20b72g40b36f55f504a2b0@mail.gmail.com>
To: Breno de Medeiros <breno@google.com>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>

On Wed, Feb 11, 2009 at 1:46 PM, Breno de Medeiros <breno@google.com> wrote:
> The current proposal for host-meta addresses some use cases that today
> simply _cannot_ be addressed without it.

I'm not familiar our process for adopting new use cases, but let's
think more carefully about one of the listed use cases:

On Wed, Feb 11, 2009 at 1:04 PM, Breno de Medeiros <breno@google.com> wrote:
> 1. Security critical ones, but for server-to-server discovery uses (not
> browser mediated)

To serve this use case, we should require that the host-meta file be
served with a specific, novel content type.  Without this requirement,
servers that try to use the host-meta file for security-critical
server-to-server discovery will be tricked by attackers who upload
fake host-meta files to unknowing servers.

> Your proposal restricts the
> discovery process in ways that may have unintended consequences in terms of
> prohibiting future uses.

How does requiring a specific Content-Type prohibit future uses?

> This is so that browsers can avoid implementing
> same-domain policy checks at the application layer?

No, this is to protect servers that let attackers upload previously
benign content to now-magical paths.

Adam
Received on Wednesday, 11 February 2009 22:02:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT