Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

On Mon, Feb 23, 2009 at 1:21 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Mon, Feb 23, 2009 at 1:04 PM, Breno de Medeiros <breno@google.com>
> wrote:
> > No, it does not. It does introduce vulnerabilities to clients that visit
> > tinyurl.com with the expectation that they will interpret some metadata
> at
> > tinyurl.com to achieve specific aims.
>
> You're right: someone has to use host-meta for something for this
> attack to work.


An application would have to use host-meta for a particular aim (e.g., a
browser discovering default charsets) and implement the spec blindly without
regard to security considerations.



>
>
> > Simply substituting tinyurl.com's
> > host-meta affects no one until tinyurl.com starts exposing some type of
> > service or application that client apps might want to configure/discover
> > using host-meta.
>
> By owning their host-meta, I can opt them into whatever services use
> host-meta for discovery.
>
> Are you really saying that you don't care that I own their host-meta file?
>
> > As for your example of default charsets, where you are using a browser to
> > define a generic interpretation of how to use host-meta to discover
> default
> > charsets, it sounds like such API would need to be designed as:
> >
> > getHostMetaValue(URL resource_url, String host_meta_key, boolean
> > isAllowedToFollowRedirects)
> >
> > which hardly sounds to me like a burden.
>
> Don't forget mime types!
>
> String getHostMetaValue(URL resource_url, String host_meta_key,
> Boolean is_allowed_to_follow_redirects, Boolean
> require_strict_mime_type_processing)
>
> What about paper cut #37?
>
> String getHostMetaValue(URL resource_url, String host_meta_key,
> Boolean is_allowed_to_follow_redirects, Boolean
> require_strict_mime_type_processing, Boolean opt_out_of_paper_cut_37)
>
> That's the path to madness.
>
> Adam
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)