Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01) from Breno de Medeiros on 2009-02-12 (www-talk@w3.org from January to February 2009)

From: Breno de Medeiros <breno@google.com>
Date: Wed, 11 Feb 2009 17:32:21 -0800
To: Ian Hickson <ian@hixie.ch>
Cc: Adam Barth <w3c@adambarth.com>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
Message-ID: <29fb00360902111732o68f0d3b3i218c5eef8da3c0cc@mail.gmail.com>

On Wed, Feb 11, 2009 at 5:25 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Wed, 11 Feb 2009, Breno de Medeiros wrote:
> > On Wed, Feb 11, 2009 at 5:00 PM, Ian Hickson <ian@hixie.ch> wrote:
> > > On Wed, 11 Feb 2009, Breno de Medeiros wrote:
> > > > >
> > > > > > 2. This technique may prevent legitimate uses of the spec by
> > > > > > developers who do not have the ability to set the appropriate
> > > > > > header.
> > > > >
> > > > > Many developers can control Content-Type headers using .htaccess
> > > > > files (and their ilk).
> > > >
> > > > And many others cannot. This is particularly irksome in outsourcing
> > > > situations where you have only partial control of the hosting
> > > > environment or depend on non-technical users to perform
> > > > administrative tasks.
> > >
> > > Note that if the spec says that UAs are to ignore the Content-Type
> > > header, this is a violation of the HTTP and MIME specifications. If
> > > this is intentional, then the HTTP or MIME specs should be changed.
> >
> > The spec is letting applications decide what to do. It is not mandating
> > anything.
>
> Well then what Adam is suggesting isn't controversial, and in fact it's
> already required (by HTTP/MIME). So adding a note to the site-meta spec
> reminding implementors of this doesn't seem like a bad idea.


My only concern is that the requirement is construed as reasonably
sufficient for security (which is indeed the case of crossdomain.xml, but
not for many intended applications). The example Adam just gave, i.e.,
server-to-server authentication metadata being subverted by uploading a
file, is the type of application that I believe should ideally resist full
compromise of the server (e.g., by using metadata signed with offline keys).
So I am not necessarily opposed to it, but the language needs to make it
clear that this strategy serves to mitigate a very specific class of
threats.


>
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

Received on Thursday, 12 February 2009 01:33:00 UTC