- From: Vinod Anupam <notifications@github.com>
- Date: Sat, 14 Apr 2018 03:45:32 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 14 April 2018 03:45:59 UTC
vanupam commented on this pull request.
> +<a for=/>header</a> on each HTTP request sent using that connection.
+The header contains the user agent's proof-of-possession for a given
+origin's <a for=/>token-binding key</a>.
+(The user agent proves possession of the private key by putting a cryptographic
+signature in that header.)
+
+<p>The server associates ('binds') credentials that it issues to that user agent
+with a <a for=/>token binding ID</a> in that <a for=/>header</a>.
+The server also verifies if bound credentials presented to it by a user agent
+match a <a for=/>token binding ID</a> in that <a for=/>header</a>.
+
+<p>The <a for=header>value</a> of the `<a http-header><code>Sec-Token-Binding</code></a>`
+<a for=/>header</a> is a base64url-encoded string [[!RFC4648]]:
+
+<pre>
+Sec-Token-Binding = 1*( ALPHA / DIGIT / "-" / "_" ) *2( "=" )
Added ABNF ref.
A reviewer had asked (earlier in the thread) for headers to be shown.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/325#discussion_r181540447
Received on Saturday, 14 April 2018 03:45:59 UTC