W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: A proposal

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 20 Nov 2013 02:43:30 +0100
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131120014330.GE22150@1wt.eu>
On Tue, Nov 19, 2013 at 08:00:17PM +0100, Nicolas Mailhot wrote:
> 
> Le Mar 19 novembre 2013 09:43, Roy T. Fielding a écrit :
> 
> > Furthermore, I have a hard time believing the privacy propaganda
> > being spread by the browser makers.  If they want to improve
> > privacy, all they have to do is remove the crappy features
> > that cause their HTTP use to be insecure.  Stop blaming the
> > protocols for exposing information that shouldn't be sent in
> > the first place.
> >
> > Don't allow cookies from a secure site to be sent to a non-secured site.
> > Double-key cookies so that they don't share information across multiple
> > referring sites. Implement an obvious logout in the UI chrome.
> > Don't send cached credentials if the referring document isn't trusted
> > or same-origin.  Don't allow BASIC over an unsecured connection.
> > Implement authentication schemes that don't expose the user's secret.
> > Prevent extensions and scripts from mimicking authentication forms.
> 
> Stop sending referers???

Stop sending pre-connects to recently visited sites when the user starts
the browser and involuntarily shows he's currently online ?

Willy
Received on Wednesday, 20 November 2013 01:43:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC