W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 18:20:07 -0800
Message-ID: <7789133a0902111820g255ca67obf110ce0134f635@mail.gmail.com>
To: Breno de Medeiros <breno@google.com>
Cc: Ian Hickson <ian@hixie.ch>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>

On Wed, Feb 11, 2009 at 6:04 PM, Breno de Medeiros <breno@google.com> wrote:
> So the proposal is for a security considerations section that describes
> attending threats and strongly hint that applications will be vulnerable if
> they do not adopt techniques to validate the results. It would  suggest the
> use of content-type headers and explain what types of threats it protects
> against, provided that it includes caveats that this technique may not be
> sufficient for some applications and as well as not necessary for others
> that use higher-assurance approaches to directly validate the results
> discovered through host-meta.

Sounds good to me.  I'm not that familiar with IETF process.  Should I
draft this section and email it to someone?

> I still do not think this is necessary because the threat model attending
> this is much broader than crossdomain.xml and applications that rely on this
> will have to understand their own security needs or be necessarily
> vulnerable. On the other hand, I will not argue against it either.

For my part, I'd rather we go further and require strict Content-Type
processing.  :)

Adam
Received on Thursday, 12 February 2009 02:20:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT