- From: Eran Hammer-Lahav <eran@hueniverse.com>
- Date: Wed, 11 Feb 2009 00:51:13 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: "www-talk@w3.org" <www-talk@w3.org>, Mark Nottingham <mnot@mnot.net>
Thanks Adam. > -----Original Message----- > From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] > On Behalf Of Adam Barth > Sent: Tuesday, February 10, 2009 8:58 AM > > Wow, this draft is scary. No the emotion I was looking for but at least it moved you... :-) > In particular, you should require that > the host-meta file should be served with a specific mime type (ignore > the response if the mime type is wrong. This protects servers that > let users upload content from having attackers upload a bogus > host-meta file. I am not sure the value added in security (which I find hard to buy) is worth excluding many hosting solutions where people not always have access to setting content-type headers. After all, focusing on an HTTP GET based solution was based on getting the most accessible approach. > Also, if you want this feature to be useful for Web browsers, you > should align the scope of the host-meta file with the notion or origin > (not authority). The scope is host/port/protocol. The protocol is not said explicitly but is very much implied. I'll leave it up to Mark to address wordings. As for the term 'origin', I rather do anything but get involved with another term at this point. EHL
Received on Wednesday, 11 February 2009 07:52:03 UTC