On 2013-03-11 3:46 PM, "Jeroen De Dauw" <jeroendedauw(a)gmail.com> wrote:
Hey,
Sure you could add some mechamism to prove you own the domain where you
want the rc updates to be sent, but things can
get rather complex.
Google uses, or at least used to use, the following to do exactly that:
On request provide a auth file to the user which includes some unique
identifier. Require this file to be made available via the domain in
question. Have the user point to the location where it is made available
and check if it is actually there. If so, domain authenticated.
That seems rather simple to create.
Cheers
--
Jeroen De Dauw
http://www.bn2vs.com
Don't panic. Don't be evil.
--
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I think that proves my point - what you describe is not what google does.
Google tells the user the path for the file (i believe the usual place is
in the root of the domain). The user does not pick the path. Otherwise I
could prove I own wikipedia (assuming mime types weren't checked) by using
action=raw.
Things that finiky to be made secure should be avoided imo.
-bawolff