- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 12 Feb 2009 22:13:05 +1100
- To: Adam Barth <w3c@adambarth.com>
- Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
WRT DNS rebinding - my initial reaction is that this isn't the proper place to fix this problem; it's not unique by any means to this proposal. My inclination, then, would be to note DNS rebinding as a risk in Security Considerations that prudent clients can protect themselves against, if necessary. Luckily, the IETF has mechanisms in place to get security reviews of proposals, so we can avail ourselves of that to get more definitive advice. Cheers, On 12/02/2009, at 7:31 AM, Adam Barth wrote: > On Wed, Feb 11, 2009 at 11:52 AM, Eran Hammer-Lahav <eran@hueniverse.com > > wrote: >> Your approach is wrong. Host-meta should not be trying to address >> such >> security concerns. > > Ignoring security problems doesn't make them go away. It just means > you'll have to pay the piper more later. > >> Applications making use of it should. There are plenty of >> applications where no one care about security. Obviously, >> crossdomain.xml >> needs to be secure, since, well, it is all about that. > > What's the point of a central metadata repository that can't handle > the most popular use case of metadata? > >> An application which strict security requirement should pay >> attention to the >> experience you are referring to. We certainly agree on that. But >> that is >> application-specific. > > Here's what I recommend: > > 1) Change the scope of the host-meta to default to the origin of the > URL from which it was retrieved (as computed by the algorithm in > draft-abarth-origin). > > 2) Let particular applications narrow this scope if they require > additional granularity. > > Adam -- Mark Nottingham http://www.mnot.net/
Received on Thursday, 12 February 2009 11:13:46 UTC