On Wed, Feb 11, 2009 at 4:45 PM, Breno de Medeiros <br...@google.com> wrote: > Ah, thought that you were still suggesting that this be a spec requirement.
I think that would be better, but I understand your concern about limited hosting environments. I suspect there is a clever solution along the lines of what Silverlight is doing. > What about browser-based applications using host-meta ... Browser-based is a red herring. This issue affects security-critical server-to-server use cases as well. For example, suppose someone uses host-meta to specify the URL to use for a server-to-server authentication API: GET /host-meta HTTP/1.1 Host: example.com:80 Content-Type: text/plain Authentication-URL: https://foobar.com/authentication-api If example.com is a Web server that lets an attacker upload a text file named "host-meta" to the root directory (which is safe behavior today), then the attacker has just hacked the server-to-server authentication protocol. Adam
