Add a bit more about target attribute authority

handrews · handrews · commit f314d36d751c · 2017-11-16T12:13:04.000-08:00
While "targetSchema" is technically never required to process
a response, as the response should indicate its own schema,
other target attributes in the LDO, such as the submission schema,
cannot be conveyed in any way other than through the LDO.

It would seem like we need a provision for determining when the
LDO can be constructed, but it's not entirely clear how that
should work.  Put in a bit about it and a CREF to hopefully
attract the attention of someone who can improve the section.
diff --git a/jsonschema-hyperschema.xml b/jsonschema-hyperschema.xml
@@ -2394,7 +2394,18 @@ Link: <https://api.example.com/trees/1/nodes/456> rev=up
                     As stated in <xref target="targetAttributes"/>, all LDO keywords describing
                     the target resource are advisory and MUST NOT be used in place of
                     the authoritative information supplied by the target resource in response
-                    to an operation.
+                    to an operation.  Target resource responses SHOULD indicate their own
+                    hyper-schema, which is authoritative.
+                </t>
+                <t>
+                    If the hyper-schema in the target response matches (by "$id") the hyper-schema
+                    in which the current LDO was found, then the target attributes MAY be
+                    considered authoritative.
+                    <cref>
+                        Need to add something about the risks of spoofing by "$id", but given
+                        that other parts of the specification discourage always re-downloading
+                        the linked schema, the risk mitigation options are unclear.
+                    </cref>
                 </t>
                 <t>
                     Clients MUST NOT use the value of "targetSchema" to aid in the interpretation
