On Mon, Feb 23, 2009 at 1:48 PM, Breno de Medeiros <br...@google.com> wrote: > An application would have to use host-meta for a particular aim (e.g., a > browser discovering default charsets) and implement the spec blindly without > regard to security considerations.
Just because we can pass the buck to application-land doesn't mean we should write a spec full of security land mines. Adam