- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 11 Feb 2009 14:01:20 -0800
- To: Breno de Medeiros <breno@google.com>
- Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Wed, Feb 11, 2009 at 1:46 PM, Breno de Medeiros <breno@google.com> wrote: > The current proposal for host-meta addresses some use cases that today > simply _cannot_ be addressed without it. I'm not familiar our process for adopting new use cases, but let's think more carefully about one of the listed use cases: On Wed, Feb 11, 2009 at 1:04 PM, Breno de Medeiros <breno@google.com> wrote: > 1. Security critical ones, but for server-to-server discovery uses (not > browser mediated) To serve this use case, we should require that the host-meta file be served with a specific, novel content type. Without this requirement, servers that try to use the host-meta file for security-critical server-to-server discovery will be tricked by attackers who upload fake host-meta files to unknowing servers. > Your proposal restricts the > discovery process in ways that may have unintended consequences in terms of > prohibiting future uses. How does requiring a specific Content-Type prohibit future uses? > This is so that browsers can avoid implementing > same-domain policy checks at the application layer? No, this is to protect servers that let attackers upload previously benign content to now-magical paths. Adam
Received on Wednesday, 11 February 2009 22:02:01 UTC