Security Considerations for properties that accept file upload

[swickr]

Section 3.3.1 Uploading Files has two sentences that do not seem consistent:

... the Micropub endpoint MUST also accept a URL value, treating that the same as if the file had been uploaded directly. The endpoint MAY download [Fetch] a copy of the file at the URL and store it the same way it would store the file if it had been uploaded directly.

If the endpoint MUST treat the property as if the file had been uploaded directly then (presuming it doesn't simply ignore the content) what other option does it have than to download the content from that URL?

Irrespective of whether the MAY should be SHOULD, Section 6.1 Security and Privacy is incomplete in that it does not mention considerations for an endpoint when it fetches an arbitrary URL presented to it in lieu of uploading a file. At least a note about defensive measures is warranted.

[aaronpk]

Some Micropub endpoints don't store files themselves at all, and instead use external storage such as S3 for all assets, even ones that were received via a Micropub file upload. In these cases, the Micropub server ends up storing just a URL to the asset, and the URL is rendered in the post when it's displayed. The intent with accepting URL values as well as file uploads is to allow more flexibility in how files are handled in general.

I've added a section to the security & privacy section describing this. https://micropub.net/draft/#external-content

Does this address the issue? Thanks!

[dissolve]

looks good to me

[aaronpk]

On today's call, the WG resolved to accept this text as a resolution for this issue. https://socialwg.indiewebcamp.com/irc/social/2017-04-11#t1491924421892

[swickr]

Sufficient for this pass. Thanks.