- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 11 Feb 2009 18:20:07 -0800
- To: Breno de Medeiros <breno@google.com>
- Cc: Ian Hickson <ian@hixie.ch>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Wed, Feb 11, 2009 at 6:04 PM, Breno de Medeiros <breno@google.com> wrote: > So the proposal is for a security considerations section that describes > attending threats and strongly hint that applications will be vulnerable if > they do not adopt techniques to validate the results. It would suggest the > use of content-type headers and explain what types of threats it protects > against, provided that it includes caveats that this technique may not be > sufficient for some applications and as well as not necessary for others > that use higher-assurance approaches to directly validate the results > discovered through host-meta. Sounds good to me. I'm not that familiar with IETF process. Should I draft this section and email it to someone? > I still do not think this is necessary because the threat model attending > this is much broader than crossdomain.xml and applications that rely on this > will have to understand their own security needs or be necessarily > vulnerable. On the other hand, I will not argue against it either. For my part, I'd rather we go further and require strict Content-Type processing. :) Adam
Received on Thursday, 12 February 2009 02:20:42 UTC