On 10/27/2014 7:19 PM, Matthew Kerwin wrote:
> So there is no model for communicating back to the browser that content
> is safe or not, nevermind for communicating up to the user.
>
>
> Actually, there's Preference-Applied. I don't recall seeing that
> forbidden by this draft, and it's a "MAY send" in RFC 7240. That said,
> it would still be a bit silly for a browser to add UI to advertise the
> presence of the header.
Forgive me, but: THAT HAS NOTHING TO DO WITH THIS DRAFT.
My comments concerned only this draft.
It's a normative reference. While I support the draft, I'm still willing to play devil's advocate here. Brian has managed to point out that, today, there's no metadata or side-channel communication from server to browser that suggests that the content is in anyway "safe", but by standardising Prefer:safe, we introduce Preference-Applied:safe, which allows servers to "lie" in metadata as well as in data.
Whether or how much of a lie it is depends on the interpretation of Preference-Applied:safe
As I said earlier, I don't believe it's an issue, but it's still a new thing, introduced by this draft. It's right for us to address it, even if just to say it's not an issue.
Matthew Kerwin
http://matthew.kerwin.net.au/
http://matthew.kerwin.net.au/