- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 23 Feb 2009 13:21:32 -0800
- To: Breno de Medeiros <breno@google.com>
- Cc: Ben Laurie <benl@google.com>, Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Mon, Feb 23, 2009 at 1:04 PM, Breno de Medeiros <breno@google.com> wrote: > No, it does not. It does introduce vulnerabilities to clients that visit > tinyurl.com with the expectation that they will interpret some metadata at > tinyurl.com to achieve specific aims. You're right: someone has to use host-meta for something for this attack to work. > Simply substituting tinyurl.com's > host-meta affects no one until tinyurl.com starts exposing some type of > service or application that client apps might want to configure/discover > using host-meta. By owning their host-meta, I can opt them into whatever services use host-meta for discovery. Are you really saying that you don't care that I own their host-meta file? > As for your example of default charsets, where you are using a browser to > define a generic interpretation of how to use host-meta to discover default > charsets, it sounds like such API would need to be designed as: > > getHostMetaValue(URL resource_url, String host_meta_key, boolean > isAllowedToFollowRedirects) > > which hardly sounds to me like a burden. Don't forget mime types! String getHostMetaValue(URL resource_url, String host_meta_key, Boolean is_allowed_to_follow_redirects, Boolean require_strict_mime_type_processing) What about paper cut #37? String getHostMetaValue(URL resource_url, String host_meta_key, Boolean is_allowed_to_follow_redirects, Boolean require_strict_mime_type_processing, Boolean opt_out_of_paper_cut_37) That's the path to madness. Adam
Received on Monday, 23 February 2009 21:22:09 UTC