On Wed, Feb 11, 2009 at 11:52 AM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > Your approach is wrong. Host-meta should not be trying to address such > security concerns.
Ignoring security problems doesn't make them go away. It just means you'll have to pay the piper more later. > Applications making use of it should. There are plenty of > applications where no one care about security. Obviously, crossdomain.xml > needs to be secure, since, well, it is all about that. What's the point of a central metadata repository that can't handle the most popular use case of metadata? > An application which strict security requirement should pay attention to the > experience you are referring to. We certainly agree on that. But that is > application-specific. Here's what I recommend: 1) Change the scope of the host-meta to default to the origin of the URL from which it was retrieved (as computed by the algorithm in draft-abarth-origin). 2) Let particular applications narrow this scope if they require additional granularity. Adam