- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 11 Feb 2009 12:31:33 -0800
- To: Eran Hammer-Lahav <eran@hueniverse.com>
- Cc: "www-talk@w3.org" <www-talk@w3.org>, Mark Nottingham <mnot@mnot.net>
On Wed, Feb 11, 2009 at 11:52 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > Your approach is wrong. Host-meta should not be trying to address such > security concerns. Ignoring security problems doesn't make them go away. It just means you'll have to pay the piper more later. > Applications making use of it should. There are plenty of > applications where no one care about security. Obviously, crossdomain.xml > needs to be secure, since, well, it is all about that. What's the point of a central metadata repository that can't handle the most popular use case of metadata? > An application which strict security requirement should pay attention to the > experience you are referring to. We certainly agree on that. But that is > application-specific. Here's what I recommend: 1) Change the scope of the host-meta to default to the origin of the URL from which it was retrieved (as computed by the algorithm in draft-abarth-origin). 2) Let particular applications narrow this scope if they require additional granularity. Adam
Received on Wednesday, 11 February 2009 20:34:54 UTC