[OpenID] Summarizing my grouse with XRD
SitG Admin
sysadmin at shadowsinthegarden.com
Wed Oct 21 23:12:47 UTC 2009
>Not necessarily all applications are security sensitive. Think about
>robots.txt. Does it have a Subject? No. Does it introduce security
>vulnerabilities? No. Is it metadata about something? Yes.
It can also be data about something.
(See the blog at 'webmasterworld.com' . . . '/robot.txt'!)
It can also contain active code (both IE and Firefox will process
/robot.txt as HTML if the proper META tags are in that document,
though Safari will not - I tested this several months ago when
preparing a robot.txt file that would parse properly to webspiders
(following the robots spec) *and* to more capable browsers as full
HTML), which introduces a security vulnerability for browsers that
only place security restrictions (for active scripting) on filetypes
(identified by extension) that *should* contain scripts. The upcoming
(draft) spec for HTML 5 has a section addressing this, but it
shouldn't be considered "fixed".
-Shade
More information about the general
mailing list