--- a/paq/prov-aq.html Fri Apr 05 18:13:06 2013 +0100
+++ b/paq/prov-aq.html Fri Apr 05 18:15:25 2013 +0100
@@ -1138,7 +1138,7 @@
When clients and servers are retrieving submitted URIs such as provenance descriptions and following or registering links; reasonable care should be taken to prevent malicious use such as distributed denial of service attacks (DDoS), cross-site request forgery (CSRF), spamming and hosting of inappropriate materials. Reasonable preventions might include same-origin policy, HTTP authorization, SSL, rate-limiting, spam filters, moderation queues, user acknowledgements and validation. It is out of scope for this document to specify how such mechanisms work and should be applied.
</p>
<p>
- Provenance pingback uses an HTTP POST operation, which may be used for non-"safe" interactions in the sense of [[WEBARCH]] (<a href="http://www.w3.org/TR/2004/REC-webarch-20041215/#safe-interaction" class="externalRef">section 3.4</a>). Care needs to be taken that user agents are not tricked into POSTing to incorrect URIs in such a way that may incur unintended effects or obligations. For example, a malicious site may present a pingback URI that executes an instruction on a different web site. Risks of such abuse may be mitigated by: performing pingbacks only to URIs from trusted sources; performing pingbacks only to the same origin as the provider of the pingback URI (like in-browser javascript same-origin restrictions), not sending credentials with pingback requests that were not obtained specifically for that purpose, and other measures rthat may be appropriate.
+ Provenance pingback uses an HTTP POST operation, which may be used for non-"safe" interactions in the sense of [[WEBARCH]] (<a href="http://www.w3.org/TR/2004/REC-webarch-20041215/#safe-interaction" class="externalRef">section 3.4</a>). Care needs to be taken that user agents are not tricked into POSTing to incorrect URIs in such a way that may incur unintended effects or obligations. For example, a malicious site may present a pingback URI that executes an instruction on a different web site. Risks of such abuse may be mitigated by: performing pingbacks only to URIs from trusted sources; performing pingbacks only to the same origin as the provider of the pingback URI (like in-browser javascript same-origin restrictions), not sending credentials with pingback requests that were not obtained specifically for that purpose, and any other measures that may be appropriate.
</p>
<p>Accessing provenance services might reveal to the service and third-parties information which is considered private, including which resources a client has taken interest in. For instance, a browser extension which collects all provenance data for a resource which is being saved to the local disk, could be revealing user interest in a sensitive resource to a third-party site listed by <code>prov:has_provenance</code> or <code>prov:has_query_service</code> relation. A detailed query submitted to a third-party provenance query service might be revealing personal information such as social security numbers. Accordingly, user agents in particular SHOULD NOT follow provenance and provenance service links without first obtaining the user's explicit permission to do so.
</p>