Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

On Wed, Feb 11, 2009 at 1:46 PM, Breno de Medeiros <breno@google.com> wrote:
> The current proposal for host-meta addresses some use cases that today
> simply _cannot_ be addressed without it.

I'm not familiar our process for adopting new use cases, but let's
think more carefully about one of the listed use cases:

On Wed, Feb 11, 2009 at 1:04 PM, Breno de Medeiros <breno@google.com> wrote:
> 1. Security critical ones, but for server-to-server discovery uses (not
> browser mediated)

To serve this use case, we should require that the host-meta file be
served with a specific, novel content type.  Without this requirement,
servers that try to use the host-meta file for security-critical
server-to-server discovery will be tricked by attackers who upload
fake host-meta files to unknowing servers.

> Your proposal restricts the
> discovery process in ways that may have unintended consequences in terms of
> prohibiting future uses.

How does requiring a specific Content-Type prohibit future uses?

> This is so that browsers can avoid implementing
> same-domain policy checks at the application layer?

No, this is to protect servers that let attackers upload previously
benign content to now-magical paths.

Adam

Received on Wednesday, 11 February 2009 22:02:01 UTC