There's an important point under all of this. On 23 Jan 2016, at 2:55 am, Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx> wrote: > > Alice is the administrator of the system, she is running a Web Server > for the company on http://example.com/ with a redirect mapping from > http://www.example.com/* > > Bob wants to setup an XXX service which is a Web Service with a HTTP > binding. Alice will let him run that service but does not want to > grant unrestricted access to the corporate Web service on port 80/443. > How do we support that? It's exceedingly difficult. The Web has for some time set most meaningful security boundaries at the origin level -- i.e., (scheme, host, port). Allowing Bob access to <https://www.example.com/.well-known/bob> still gives him a considerable amount of leeway to content and capability on other parts of the origin, including: * reading and writing cookies * reading and writing LocalStorage * setting ServiceWorkers to intercept requests and synthesise responses for the whole host * access to use and set permissions for capabilities like camera access, microphone access, geolocation * provide content -- including active content (e.g,. JavaScript) -- for execution with escalated privilege * ability to set origin policy such as CSP, HSTS, etc. This is a small, incomplete sample. Alice can try to limit Bob's capabilities by controlling the headers and content that he sets, but that's probably a losing battle; it requires her to keep up with every development in the Web platform, and code her containment perfectly. The takeaway here is that .well-known is *not* a sandbox to put content into, and treating it like that can have serious security implications. Cheers, -- Mark Nottingham https://www.mnot.net/