On 10/27/2014 8:19 PM, Matthew Kerwin wrote:
> Actually, there's Preference-Applied. I don't recall seeing that
...
Forgive me, but: THAT HAS NOTHING TO DO WITH THIS DRAFT.
...
It's a normative reference. While I support the draft, I'm still
willing to play devil's advocate here.
Devil's advocacy can be useful, but it requires some care.
The draft's reference to 7240 is quite narrow, pertaining only to the
basic mechanism used to communicate the preference. It does not have
any discussion about browser response.
Brian has managed to point out
that, today, there's no metadata or side-channel communication from
server to browser that suggests that the content is in anyway "safe",
but by standardising Prefer:safe, we introduce Preference-Applied:safe,
which allows servers to "lie" in metadata as well as in data.
Note that the Security Considerations section already cites exposures
with the mechanism and possible misbehaviors by the server.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net