On 10/27/2014 8:19 PM, Matthew Kerwin wrote: > > Actually, there's Preference-Applied. I don't recall seeing that ... > Forgive me, but: THAT HAS NOTHING TO DO WITH THIS DRAFT. ... > It's a normative reference. While I support the draft, I'm still > willing to play devil's advocate here. Devil's advocacy can be useful, but it requires some care. The draft's reference to 7240 is quite narrow, pertaining only to the basic mechanism used to communicate the preference. It does not have any discussion about browser response. > Brian has managed to point out > that, today, there's no metadata or side-channel communication from > server to browser that suggests that the content is in anyway "safe", > but by standardising Prefer:safe, we introduce Preference-Applied:safe, > which allows servers to "lie" in metadata as well as in data. Note that the Security Considerations section already cites exposures with the mechanism and possible misbehaviors by the server. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net