Thanks Adam. > -----Original Message----- > From: ietf-http-wg-requ...@w3.org [mailto:ietf-http-wg-requ...@w3.org] > On Behalf Of Adam Barth > Sent: Tuesday, February 10, 2009 8:58 AM > > Wow, this draft is scary.
No the emotion I was looking for but at least it moved you... :-) > In particular, you should require that > the host-meta file should be served with a specific mime type (ignore > the response if the mime type is wrong. This protects servers that > let users upload content from having attackers upload a bogus > host-meta file. I am not sure the value added in security (which I find hard to buy) is worth excluding many hosting solutions where people not always have access to setting content-type headers. After all, focusing on an HTTP GET based solution was based on getting the most accessible approach. > Also, if you want this feature to be useful for Web browsers, you > should align the scope of the host-meta file with the notion or origin > (not authority). The scope is host/port/protocol. The protocol is not said explicitly but is very much implied. I'll leave it up to Mark to address wordings. As for the term 'origin', I rather do anything but get involved with another term at this point. EHL
