Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

On Mon, Feb 23, 2009 at 1:04 PM, Breno de Medeiros <breno@google.com> wrote:
> No, it does not. It does introduce vulnerabilities to clients that visit
> tinyurl.com with the expectation that they will interpret some metadata at
> tinyurl.com to achieve specific aims.

You're right: someone has to use host-meta for something for this
attack to work.

> Simply substituting tinyurl.com's
> host-meta affects no one until tinyurl.com starts exposing some type of
> service or application that client apps might want to configure/discover
> using host-meta.

By owning their host-meta, I can opt them into whatever services use
host-meta for discovery.

Are you really saying that you don't care that I own their host-meta file?

> As for your example of default charsets, where you are using a browser to
> define a generic interpretation of how to use host-meta to discover default
> charsets, it sounds like such API would need to be designed as:
>
> getHostMetaValue(URL resource_url, String host_meta_key, boolean
> isAllowedToFollowRedirects)
>
> which hardly sounds to me like a burden.

Don't forget mime types!

String getHostMetaValue(URL resource_url, String host_meta_key,
Boolean is_allowed_to_follow_redirects, Boolean
require_strict_mime_type_processing)

What about paper cut #37?

String getHostMetaValue(URL resource_url, String host_meta_key,
Boolean is_allowed_to_follow_redirects, Boolean
require_strict_mime_type_processing, Boolean opt_out_of_paper_cut_37)

That's the path to madness.

Adam

Received on Monday, 23 February 2009 21:22:09 UTC