Comment 87 for bug 1449212

I'm +2 on patch @ #85

However, I'll admit that the commit messages makes things seem a little more dire than they would be after the tempurl-can-not-create-dlo fix from lp bug #1453948 is released. But since neither for them are released I think the wording is correct for this patch.

... now, before you go thinking "maybe we don't need scoped tempurls if you can't make *LO's with tempurls?" - you *can* make *LO's with write-acl's - so it's a more complicated attack, but if we only did the other change, a write-acl and container-tempurl would be just as vulnerable to the DLO probing as described in the commit. Regardless of how the "object that points to other data" is created - scoping the ability of a container tempurl to grant read access only to the container that created them is critically important to meet our expected risk model.

After this is public we need to do doc change to highlight that container-tempurl's (unlike account-tempurls) don't work with cross-container manifests (again, regardless of how the cross-container manifests were created)