Expect-CT updates from Emily Stark on 2017-11-10 (ietf-http-wg@w3.org from October to December 2017)

From: Emily Stark <estark@google.com>
Date: Fri, 10 Nov 2017 16:38:35 +0000
To: httpbis <ietf-http-wg@w3.org>
Message-ID: <CAPP_2Sa2RaM+8YzmAD3jGtvDHQngkYfQqaPC8iKBc70hjvD-=g@mail.gmail.com>

I won't be able to make it to Singapore, so here are a few updates on
Expect-CT:

- In Prague we talked about CORS preflights for reporting requests.
https://github.com/whatwg/fetch/issues/567 is the resulting discussion,
though it hasn't really had a satisfying resolution yet.
https://github.com/whatwg/fetch/pull/621 documents some CORS exceptions,
including Expect-CT reports.

- Expect-CT is now shipped in Chrome stable and several large sites have
deployed the header. One large site has requested includeSubdomains support
and doesn't want to deploy Expect-CT without it.

- Ivan Ristic (Hardenize) is planning on filing a few small spec issues
(mostly related to the report format, IIUC) this week or next based on his
deployment experience.

Received on Friday, 10 November 2017 16:39:27 UTC