On 28 October 2014 12:21, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:
On 10/27/2014 7:19 PM, Matthew Kerwin wrote:
So there is no model for communicating back to the browser that
content
is safe or not, nevermind for communicating up to the user.
Actually, there's Preference-Applied. I don't recall seeing that
forbidden by this draft, and it's a "MAY send" in RFC 7240. That said,
it would still be a bit silly for a browser to add UI to advertise the
presence of the header.
Forgive me, but: THAT HAS NOTHING TO DO WITH THIS DRAFT.
My comments concerned only this draft.
It's a normative reference. While I support the draft, I'm still willing
to play devil's advocate here. Brian has managed to point out that, today,
there's no metadata or side-channel communication from server to browser
that suggests that the content is in anyway "safe", but by standardising
Prefer:safe, we introduce Preference-Applied:safe, which allows servers to
"lie" in metadata as well as in data.
Whether or how much of a lie it is depends on the interpretation of
Preference-Applied:safe
As I said earlier, I don't believe it's an issue, but it's still a new
thing, introduced by this draft. It's right for us to address it, even if
just to say it's not an issue.
--
Matthew Kerwin
http://matthew.kerwin.net.au/