Comment 20 for bug 1449212

There are different levels of trust, but I think what is at issue here is the account owner's expectation of what a user can do with a temp url he gives out. To me, the issue revolves around users being able to use these things to get information that is not obvious to the account owner. If it is obvious, then the feature might become useless as it is trivial to gain access to objects that you should not have access to or to probe for the existence of objects.

I don't see an issue with x-versions-location, as you can not set headers on a container with a temp url as far as I know. So it does not seem like it could be abused to either leak data or probe for object existence. Even if you have a PUT and DELETE temp url, and the container has the x-versions-location set, all you would be able to do is push and pop versions of the object you have access to into and out of the x-versions-location container. And that seems like it might be expected behavior by the account owner. (although there might be other ways to abuse it which I can't think of right now)