W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Breno de Medeiros <breno@google.com>
Date: Wed, 11 Feb 2009 16:40:30 -0800
Message-ID: <29fb00360902111640l3cb1810vce36de275a026a3@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Wed, Feb 11, 2009 at 4:38 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Wed, Feb 11, 2009 at 4:00 PM, Breno de Medeiros <breno@google.com>
> wrote:
> > All of the above systems target browsers and none have the usage
> > requirements of the proposed spec.
>
> The point is there are enough HTTP servers on the Internet that let
> uses upload content in this way that these vendors have added strict
> Content-Type processing to their metadata mechanisms.  If you don't
> even warn consumers of your spec about these threats, those folks will
> build applications on top of host-meta that make these servers
> vulnerable to attack.


Yes, but your solution prevents legitimate use cases that are a higher value
proposition.


>
>
> Adam
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
Received on Thursday, 12 February 2009 00:41:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT