Re: [whatwg/fetch] Update Fetch to support Token Binding. (#325) from sleevi on 2018-03-28 (public-webapps-github@w3.org from March 2018)

From: sleevi <notifications@github.com>
Date: Wed, 28 Mar 2018 11:21:56 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/325/c376986649@github.com>

@Andrei-Popov I agree that it's two dimensions: one dimension is the notion of Fetch's "_withCredentials_" mode, which is a defined semantic linked to CORS and Ambient Authority, and another dimension is generally thought of as "_third-party cookie blocking_" mode, in which steps are taken to distinguish a 3P connection (cross-origin) from a 1P connection (same-origin/same-eTLD+1).

On the **withCredentials** dimension, I hope we can agree that TB is not a credential in that sense, because it's not a bearer token. I would think that a connection that negotiated TB could still be used for a credential-less request, since no ambient authority would be conferred, and suspect that it might be easier to simply omit the TB entirely

On the **3P/1P** dimension, I think we can agree that a TB is potentially-identifying, and should be omitted, the same as cookies are. Whether that also means that a new connection (non-TB-negotiated) should be established is unclear to me. In both cases, I suspect these are UA-specific decisions - the Web Platform doesn't really define how 3P cookie blocking works (much like, say, Apple's ITP or HSTS-blocking is not part of the spec, but part of the UA-logic/deviation)

>From a spec perspective, @nharper's question about whether it belongs in the discussion of credentials is relevant, in that if we say it is treated as a credential, then it means UAs shouldn't allow TB to be saved/sent on a request that also isn't allowed to save/send cookies. That seems to match expectations on the 3P/1P dimension, and probably simplifies implementation for the withCredentials dimension. UAs can still explore coalescing the connections (as Firefox does, in which cookie-bearing and cookie-less requests are permitted to share the same connection), allowing non-TB-bearing requests over TB-negotiated channels

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/325#issuecomment-376986649

Received on Wednesday, 28 March 2018 18:22:19 UTC