Commit 39884fd
committed
Document that subscription filters carry no per-client authorization
Any client may subscribe to any URI, including one it cannot read, and
will receive update notifications for it (resource existence and change
timing - never content). Multi-tenant servers should not publish
sensitive per-user URIs, or should serve the method with their own
handler and narrow the filter before acking; a narrowing hook on the
built-in handler is a candidate follow-up.1 parent badcba0 commit 39884fd
1 file changed
Lines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
33 | 33 | | |
34 | 34 | | |
35 | 35 | | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
36 | 44 | | |
37 | 45 | | |
38 | 46 | | |
| |||
0 commit comments