W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 14:39:39 -0800
Message-ID: <7789133a0902111439s5cd0081bof557189035ce91d3@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Cc: "www-talk@w3.org" <www-talk@w3.org>, Mark Nottingham <mnot@mnot.net>

On Wed, Feb 11, 2009 at 2:26 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> But you are missing the entire application layer here! A browser will not
> use host-meta. It will use an application spec that will use host-meta and
> that application, it security is a concern, will specify such requirements
> to ensure interoperability. It is not the job of host-meta to tell
> applications what is good for them.

In that case, the draft should not define a default scope for
host-meta files at all.  Each application that uses the host-meta file
should define the scope that it finds most useful.

As currently written, the draft is downright dangerous because it
defines a scope that is almost (but not quite!) right for Web
browsers.

Adam
Received on Wednesday, 11 February 2009 22:40:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT