W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Breno de Medeiros <breno@google.com>
Date: Wed, 11 Feb 2009 16:45:40 -0800
Message-ID: <29fb00360902111645h7161b22fn24b26406f2f028d6@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Wed, Feb 11, 2009 at 4:43 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Wed, Feb 11, 2009 at 4:40 PM, Breno de Medeiros <breno@google.com>
> wrote:
> > Yes, but your solution prevents legitimate use cases that are a higher
> value
> > proposition.
>
> How does:
>
> On Wed, Feb 11, 2009 at 3:22 PM, Adam Barth <w3c@adambarth.com> wrote:
> > 2) Add a section to Security Considerations that explains that
> > applications using host-meta should consider adding requirement (1)
> [strict Content-Type processing].
>
> prevent legitimate use cases?
>
> It's not the ideal solution because it passes the buck to
> application-land, but its orders of magnitude better than laying a
> subtle trap for those folks.


Ah, thought that you were still suggesting that this be a spec requirement.
What about browser-based applications using host-meta ...


>
>
> Adam
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
Received on Thursday, 12 February 2009 00:46:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT