Hi, finally a security related comment. During IETF LC for draft-brown-versioning-link-relations we got a comment from Eric Rescorla: "In general this mechanism seems sound but I'm not sure that the security considerations are entirely adequate. This mechanism lets you learn information about other versions of a resource even if you potentially don't have permission to view them directly. Consider a limiting case where each version of the resource had a name that contained the change set for that resource. E.g., http://example.com/versions/filename/_@line_50_+_FOO;@line_60_+_BAR/; In this case, seeing other parts of the version tree leaks information about those versions. I don't think that this is a problem for the draft, but it might be useful to mention that this feature has implications for name construction." I assume this is a concern that applies to the Link header in general. Best regards, JulianReceived on Thursday, 21 January 2010 14:23:44 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:21 UTC