- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 11 Feb 2009 16:52:05 -0800
- To: Breno de Medeiros <breno@google.com>
- Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Wed, Feb 11, 2009 at 4:45 PM, Breno de Medeiros <breno@google.com> wrote: > Ah, thought that you were still suggesting that this be a spec requirement. I think that would be better, but I understand your concern about limited hosting environments. I suspect there is a clever solution along the lines of what Silverlight is doing. > What about browser-based applications using host-meta ... Browser-based is a red herring. This issue affects security-critical server-to-server use cases as well. For example, suppose someone uses host-meta to specify the URL to use for a server-to-server authentication API: GET /host-meta HTTP/1.1 Host: example.com:80 Content-Type: text/plain Authentication-URL: https://foobar.com/authentication-api If example.com is a Web server that lets an attacker upload a text file named "host-meta" to the root directory (which is safe behavior today), then the attacker has just hacked the server-to-server authentication protocol. Adam
Received on Thursday, 12 February 2009 00:52:49 UTC