- From: Breno de Medeiros <breno@google.com>
- Date: Mon, 23 Feb 2009 13:27:05 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Ben Laurie <benl@google.com>, Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
- Message-ID: <29fb00360902231327y3e55adc4nf2aa987792cb7b03@mail.gmail.com>
On Mon, Feb 23, 2009 at 1:21 PM, Adam Barth <w3c@adambarth.com> wrote: > On Mon, Feb 23, 2009 at 1:04 PM, Breno de Medeiros <breno@google.com> > wrote: > > No, it does not. It does introduce vulnerabilities to clients that visit > > tinyurl.com with the expectation that they will interpret some metadata > at > > tinyurl.com to achieve specific aims. > > You're right: someone has to use host-meta for something for this > attack to work. > > > Simply substituting tinyurl.com's > > host-meta affects no one until tinyurl.com starts exposing some type of > > service or application that client apps might want to configure/discover > > using host-meta. > > By owning their host-meta, I can opt them into whatever services use > host-meta for discovery. > > Are you really saying that you don't care that I own their host-meta file? > > > As for your example of default charsets, where you are using a browser to > > define a generic interpretation of how to use host-meta to discover > default > > charsets, it sounds like such API would need to be designed as: > > > > getHostMetaValue(URL resource_url, String host_meta_key, boolean > > isAllowedToFollowRedirects) > > > > which hardly sounds to me like a burden. > > Don't forget mime types! > > String getHostMetaValue(URL resource_url, String host_meta_key, > Boolean is_allowed_to_follow_redirects, Boolean > require_strict_mime_type_processing) > > What about paper cut #37? > > String getHostMetaValue(URL resource_url, String host_meta_key, > Boolean is_allowed_to_follow_redirects, Boolean > require_strict_mime_type_processing, Boolean opt_out_of_paper_cut_37) > > That's the path to madness. Another path to madness is to write opt_out_of_paper_cut_37 as part of a generic spec when the vulnerability affects a special class of applications. Unless it is thought out and written directly into the spec or (as others including myself prefer) enforced by the application, it certainly cannot just go away. > > > Adam > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7)
Received on Monday, 23 February 2009 21:27:44 UTC