W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 16:43:43 -0800
Message-ID: <7789133a0902111643t1480bfdjb428225ef232005@mail.gmail.com>
To: Breno de Medeiros <breno@google.com>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>

On Wed, Feb 11, 2009 at 4:40 PM, Breno de Medeiros <breno@google.com> wrote:
> Yes, but your solution prevents legitimate use cases that are a higher value
> proposition.

How does:

On Wed, Feb 11, 2009 at 3:22 PM, Adam Barth <w3c@adambarth.com> wrote:
> 2) Add a section to Security Considerations that explains that
> applications using host-meta should consider adding requirement (1) [strict Content-Type processing].

prevent legitimate use cases?

It's not the ideal solution because it passes the buck to
application-land, but its orders of magnitude better than laying a
subtle trap for those folks.

Adam
Received on Thursday, 12 February 2009 00:44:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT