On Mon, Feb 23, 2009 at 1:21 PM, Adam Barth <w3c@adambarth.com> wrote: > On Mon, Feb 23, 2009 at 1:04 PM, Breno de Medeiros <breno@google.com> > wrote: > > No, it does not. It does introduce vulnerabilities to clients that visit > > tinyurl.com with the expectation that they will interpret some metadata > at > > tinyurl.com to achieve specific aims. > > You're right: someone has to use host-meta for something for this > attack to work. An application would have to use host-meta for a particular aim (e.g., a browser discovering default charsets) and implement the spec blindly without regard to security considerations. > > > > Simply substituting tinyurl.com's > > host-meta affects no one until tinyurl.com starts exposing some type of > > service or application that client apps might want to configure/discover > > using host-meta. > > By owning their host-meta, I can opt them into whatever services use > host-meta for discovery. > > Are you really saying that you don't care that I own their host-meta file? > > > As for your example of default charsets, where you are using a browser to > > define a generic interpretation of how to use host-meta to discover > default > > charsets, it sounds like such API would need to be designed as: > > > > getHostMetaValue(URL resource_url, String host_meta_key, boolean > > isAllowedToFollowRedirects) > > > > which hardly sounds to me like a burden. > > Don't forget mime types! > > String getHostMetaValue(URL resource_url, String host_meta_key, > Boolean is_allowed_to_follow_redirects, Boolean > require_strict_mime_type_processing) > > What about paper cut #37? > > String getHostMetaValue(URL resource_url, String host_meta_key, > Boolean is_allowed_to_follow_redirects, Boolean > require_strict_mime_type_processing, Boolean opt_out_of_paper_cut_37) > > That's the path to madness. > > Adam > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7)Received on Monday, 23 February 2009 21:49:27 UTC
This archive was generated by hypermail 2.4.0 : Monday, 20 January 2020 16:08:31 UTC