- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 21 Jan 2010 15:23:05 +0100
- To: Apps Discuss <discuss@apps.ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Hi, finally a security related comment. During IETF LC for draft-brown-versioning-link-relations we got a comment from Eric Rescorla: "In general this mechanism seems sound but I'm not sure that the security considerations are entirely adequate. This mechanism lets you learn information about other versions of a resource even if you potentially don't have permission to view them directly. Consider a limiting case where each version of the resource had a name that contained the change set for that resource. E.g., http://example.com/versions/filename/_@line_50_+_FOO;@line_60_+_BAR/; In this case, seeing other parts of the version tree leaks information about those versions. I don't think that this is a problem for the draft, but it might be useful to mention that this feature has implications for name construction." I assume this is a concern that applies to the Link header in general. Best regards, Julian
Received on Thursday, 21 January 2010 14:23:44 UTC