The upload service SHOULD choose an appropriate timeout for the validity of the PUT URL. Since there is no reason for a client to wait between requesting the slot and starting the upload, relatively low timeout values of around 300s are RECOMMENDED.
To make HTTP Upload work in web clients (including those hosted on a different domain) the upload service SHOULD set appropriate CORS-Headers. The exact headers and values are out of scope of this document but may include: Access-Control-Allow-Origin, Access-Control-Allow-Methods and Access-Control-Allow-Headers. For HTTP upload services that use custom Authorization or Cookie request header the CORS-Header Access-Control-Allow-Credentials might also be of importance.
+
Note: This section is not normative; it may be updated when general web security recommendations change in the future.
+It is recommended to run the HTTP upload domain used for GET requests in appropriate isolation from other HTTP based services to avoid user-generated, malicious scripts to be executed in the context of said services. Isolation techniques can include, but are not limited to, setting the Content-Security-Policy.
+
+ The provided policy will prohibit a browser from executing all active content from the HTTP upload domain (default-src 'none') and forbid embedding it from other pages (frame-ancestors 'none'). More information on Content-Security-Policy can be found on infosec.mozilla.org.
+Further isolation can be achieved by hosting those files on an entirely different domain instead of using subdomains.
+This document requires no interaction with the Internet Assigned Numbers Authority (IANA).
@@ -328,6 +361,62 @@tbd
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+]]>