On 2013-03-11 3:46 PM, "Jeroen De Dauw" <jeroended...@gmail.com> wrote: > > Hey, > > Sure you could add some mechamism to prove you own the domain where you > > want the rc updates to be sent, but things can get rather complex. > > > > Google uses, or at least used to use, the following to do exactly that: > > On request provide a auth file to the user which includes some unique > identifier. Require this file to be made available via the domain in > question. Have the user point to the location where it is made available > and check if it is actually there. If so, domain authenticated. > > That seems rather simple to create. > > Cheers > > -- > Jeroen De Dauw > http://www.bn2vs.com > Don't panic. Don't be evil. > -- > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I think that proves my point - what you describe is not what google does. Google tells the user the path for the file (i believe the usual place is in the root of the domain). The user does not pick the path. Otherwise I could prove I own wikipedia (assuming mime types weren't checked) by using action=raw. Things that finiky to be made secure should be avoided imo. -bawolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
