- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 11 Feb 2009 12:38:16 -0800
- To: Eran Hammer-Lahav <eran@hueniverse.com>
- Cc: "www-talk@w3.org" <www-talk@w3.org>
On Wed, Feb 11, 2009 at 11:55 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > There is nothing incorrect about: GET mailto:joe@example.com HTTP/1.1 I don't know how to get a Web browser to generate such a request, so I am unable to assess its security implications. > It might look funny to most people but it is perfectly valid. The protocol > is HTTP, the scheme is mailto. HTTP can talk about any URI, not just http > URIs. Since this is about *how* /host-meta is obtained, it should talk about > protocol, not scheme. Here's my understanding of how this should work (ignoring redirects for the moment). Please correct me if my understanding is incorrect or incomplete: 1) The user agent retrieves the host-meta file by requesting a certain URL from the network layer. 2) The network layer does some magic involving protocols and electrical signals on wires and returns a sequence of bytes. 3) The user agent now must compute a scope for the retrieved host-meta file. I recommend that the scope for the host-meta file be determined from the URL irrespective of whatever magic goes on in step 2. because this is the way all other security scopes are computed in Web browsers. For example, if I view an HTML document location at http://example.com/index.html, its security origin is (http, example.com, 80) regardless of whether the HTML document was actually retrieved by carrier pigeon or SMTP. (To handle redirects, by the way, you have to use the last URL in the redirect chain.) Adam
Received on Wednesday, 11 February 2009 20:38:51 UTC