- From: Breno de Medeiros <breno@google.com>
- Date: Wed, 11 Feb 2009 16:45:40 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
Received on Thursday, 12 February 2009 00:46:19 UTC
On Wed, Feb 11, 2009 at 4:43 PM, Adam Barth <w3c@adambarth.com> wrote: > On Wed, Feb 11, 2009 at 4:40 PM, Breno de Medeiros <breno@google.com> > wrote: > > Yes, but your solution prevents legitimate use cases that are a higher > value > > proposition. > > How does: > > On Wed, Feb 11, 2009 at 3:22 PM, Adam Barth <w3c@adambarth.com> wrote: > > 2) Add a section to Security Considerations that explains that > > applications using host-meta should consider adding requirement (1) > [strict Content-Type processing]. > > prevent legitimate use cases? > > It's not the ideal solution because it passes the buck to > application-land, but its orders of magnitude better than laying a > subtle trap for those folks. Ah, thought that you were still suggesting that this be a spec requirement. What about browser-based applications using host-meta ... > > > Adam > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7)
Received on Thursday, 12 February 2009 00:46:19 UTC