Closed dret closed 5 years ago
just an idea: to mitigate security problems with resources announcing an overly broad scope, it would be possible to define the scope as a pattern only, which would always be appended to the URI of the resource announcing the sunset.
the last additions for -06 do not add a prefix or template mechanism, but they talk about the general concept of a possible wider scope of a Sunset
header field than a single resource.
getting close to closing this in favor of getting the RFC published without additional complications. anybody objecting make concrete suggestions now, or forever stay silent!
closing this as part of the final RFC push.
currently the scope for a sunset is not quite clear. it might just be the resource responding with
Sunset
, or it might be that the service containing the resource announces its sunset as a complete service (possibly involving a large number of resources). it would be possible to specify a "sunset scope" with mechanisms such as a prefix or a URI template. on the other hand, this adds complexity and also raises security concerns, such as a resource announcing a sunset with a very large scope (much larger than the resources it actually serves), and supporting applications raising all kinds of alarms as a result.