- From: Ilya Grigorik <notifications@github.com>
- Date: Thu, 06 Aug 2015 12:55:42 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Thursday, 6 August 2015 19:56:22 UTC
I don't think this is going to work from client-land.. With a JS API any first- or third-party script would be able to inject arbitrary pin rules for any origin - this is bad, as it's trivial to abuse. Only the origin itself should be able to assert rules about which certs should be pinned and for how long, which is why header based registration works. --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/98#issuecomment-128486172
Received on Thursday, 6 August 2015 19:56:22 UTC