Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

Wow, this draft is scary.  I haven't seen the prior discussion of this
draft, but we should learn from the mistakes of Flash's
crossdomain.xml policy file.  In particular, you should require that
the host-meta file should be served with a specific mime type (ignore
the response if the mime type is wrong.  This protects servers that
let users upload content from having attackers upload a bogus
host-meta file.

Also, if you want this feature to be useful for Web browsers, you
should align the scope of the host-meta file with the notion or origin
(not authority).  Section 4 seems to imply that the scope is
"www.example.com:80" but Section 6 implies the scope is
"https://www.example.com".  In fact, computing the origin of a URL
correctly is more complex than this draft assumes.  For details, see
my origin draft.

That said, I think host-meta would be super useful if specified correctly.

Adam

On Tue, Feb 10, 2009 at 6:57 AM, Thomas Roessler <tlr <at> w3.org> wrote:
> Reading draft-nottingham-site-meta-01...
>
>> 4. Discovering host-meta Files
>
>> The metadata for a given authority can be discovered by dereferencing the
>> path /host-meta on the same authority. For example, for an HTTP URI
>> [RFC2616], the following request would obtain metadata for the authority
>> "www.example.com:80";
>