W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: [Integrity] Some comments on Cross-Origin leakage and content types

From: Arjan Veenstra <arjan@veenstra.cx>
Date: Mon, 22 Sep 2014 20:24:59 +0200
To: public-webappsec@w3.org
Message-ID: <e759dac55a000f837b32ca8544e71f00@d6.nl>
On 2014-09-21 11:13, Anne van Kesteren wrote:
> On Sat, Sep 20, 2014 at 10:19 AM, Arjan Veenstra <arjan@veenstra.cx> 
> wrote:
>> I'm also missing a description of how to handle scenarios where a 
>> resource
>> might be available in multiple content types.
> 
> https://wiki.whatwg.org/wiki/Why_not_conneg

I'm not sure I agree with all the points mentioned there, mainly because 
it seems to assume the client is always a browser. But that isn't a 
discussion which belongs here...

Even so, content negotiation exists and is being used, as such I think 
the standard should a least spend a few words on how to deal with that. 
I also think it can be supported trivially without any loss of 
functionality. Depending on the interpretation of the standard it might 
even be supported, but as it stands the standard isn't explicit about 
it. Even if you'd want to use this standard as a means to kill 
content-negotiation it should be explicit about allowing only a single 
content-type per element. Right now it's not clear, at least not to me. 
I guess it's clear I'd like to be specifically allowed to specify 
different hashes for different content-types. But when that won't be 
allowed, I feel that should be explicit.

Regards,
Arjan Veenstra
Received on Monday, 22 September 2014 18:25:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC