Mount considerations from Lisa Dusseault on 2006-05-18 (w3c-dist-auth@w3.org from April to June 2006)

From: Lisa Dusseault <lisa@osafoundation.org>
Date: Wed, 17 May 2006 18:12:16 -0700
To: WebDav WG <w3c-dist-auth@w3.org>, Julian Reschke <julian.reschke@gmx.de>
Message-Id: <AA6B4A88-62CE-488D-BE71-2546032FF182@osafoundation.org>

Thinking about the DAV mount proposal (after posting on the CalDAV  
list), I started wondering if there's any real security consideration  
if the mount document is on a totally different server than the  
WebDAV collection.
  - Denial of service?  No different than any cross-site link to a  
WebDAV collection
  - Privacy? Possibly leaks username which is ordinarily not  
revealed.  Difficult to keep permissions synched with collection  
permissions.
  - Other?  (anyone?  what am I missing?)

I guess the only one of those that bears mentioning in the document  
is that servers would reveal information unnecessarily, and possibly  
irresponsibly, unless they were to apply the same ACL to the  
collection and to the mount document.

Lisa

Received on Thursday, 18 May 2006 01:12:25 UTC