Say that Mallory appends a message with "Cute kittens here: https://mallory.example/pics/cute-kitten.jpg" and Bob has a subscription to the resource, gets notified and clicks that link, sees cute kittens and has no reason to suspect that something is wrong. However, Bob's UA may have leaked the capability URL to Mallory since Mallory controls his server, through e.g. the Referer header or some other mechanism as indicated in the Capability URLs WD. Now, Mallory would have escalated his privileges to read notifications, right?
@kjetilk I think we can evaluate this scenario. How do you imagine the Capability URLs, used by some notifications subscriber on behalf of Bob, ending up in the Referer header?
Besides that I think we can recommend not reusing Capability URLs across subscriptions, this way leaking one Capability URL only works with one subscription (for a specific topic) until it expires, or the subscriber unsubscribes.
from: https://github.com/solid/notifications/issues/110#issuecomment-1275271253
@kjetilk I think we can evaluate this scenario. How do you imagine the Capability URLs, used by some notifications subscriber on behalf of Bob, ending up in the
Refererheader?Besides that I think we can recommend not reusing Capability URLs across subscriptions, this way leaking one Capability URL only works with one subscription (for a specific topic) until it expires, or the subscriber unsubscribes.