- From: Robin Berjon <robin@berjon.com>
- Date: Sun, 19 Apr 2009 16:24:52 +0200
- To: Thomas Roessler <tlr@w3.org>
- Cc: public-webapps@w3.org
Hi Thomas, On Apr 16, 2009, at 17:23 , Thomas Roessler wrote: > 1. How is the information in this access element going to be used at > installation time or distribution time? I'd like to see some spec > text that explains this. My understanding is that this is like the feature element and others: it is metadata and its enforcement depends on a security policy. When that security policy intervenes (I would expect at runtime, for every access) is presumably orthogonal. > 2. If one of the risks we're interested in is firewall traversal, > then then proposed domain name wildcard has a somewhat different > risk profile than just a single domain name: while you can do a DNS > rebinding attack for a single hostname, that's a well-known issue, > and hopefully worked around in today's browser engines. With the > wildcard, though, it becomes relatively easy to do firewall > traversal: For example, one could simply generate DNS records > n.n.n.n.example.com that point to the IP address n.n.n.n. I think that this is also meant to be orthogonal to firewalls, but maybe I'm missing something? -- Robin Berjon - http://berjon.com/ Feel like hiring me? Go to http://robineko.com/
Received on Sunday, 19 April 2009 14:25:30 UTC