- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 18 May 2006 07:30:34 +0200
- To: Lisa Dusseault <lisa@osafoundation.org>
- CC: WebDav WG <w3c-dist-auth@w3.org>
Lisa Dusseault schrieb: > Thinking about the DAV mount proposal (after posting on the CalDAV <http://greenbytes.de/tech/webdav/draft-reschke-webdav-mount-04.html> > list), I started wondering if there's any real security consideration if > the mount document is on a totally different server than the WebDAV > collection. > - Denial of service? No different than any cross-site link to a WebDAV > collection Correct. > - Privacy? Possibly leaks username which is ordinarily not revealed. The username (optionally) is sent in the content from server to client (see <http://greenbytes.de/tech/webdav/draft-reschke-webdav-mount-04.html#ELEMENT_username>). In general, this is the user name that was used to authenticate to the Web site in the first place, so I'm not sure why sending it back to the client is any kind of security risk? > Difficult to keep permissions synched with collection permissions. What does this have to do with the act of mounting? > - Other? (anyone? what am I missing?) > > I guess the only one of those that bears mentioning in the document is > that servers would reveal information unnecessarily, and possibly > irresponsibly, unless they were to apply the same ACL to the collection > and to the mount document. I'm not sure what kind of information you're referring to here. Please be more specific... Best regards, Julian
Received on Thursday, 18 May 2006 05:30:44 UTC