On Wed, Feb 11, 2009 at 1:46 PM, Breno de Medeiros <br...@google.com> wrote: > The current proposal for host-meta addresses some use cases that today > simply _cannot_ be addressed without it.
I'm not familiar our process for adopting new use cases, but let's think more carefully about one of the listed use cases: On Wed, Feb 11, 2009 at 1:04 PM, Breno de Medeiros <br...@google.com> wrote: > 1. Security critical ones, but for server-to-server discovery uses (not > browser mediated) To serve this use case, we should require that the host-meta file be served with a specific, novel content type. Without this requirement, servers that try to use the host-meta file for security-critical server-to-server discovery will be tricked by attackers who upload fake host-meta files to unknowing servers. > Your proposal restricts the > discovery process in ways that may have unintended consequences in terms of > prohibiting future uses. How does requiring a specific Content-Type prohibit future uses? > This is so that browsers can avoid implementing > same-domain policy checks at the application layer? No, this is to protect servers that let attackers upload previously benign content to now-magical paths. Adam
