W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: [XHR] chunked requests

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 09 Dec 2011 13:59:13 +0100
To: "Adam Barth" <w3c@adambarth.com>, "Eric Rescorla" <ekr@rtfm.com>
Cc: "Jonas Sicking" <jonas@sicking.cc>, "Wenbo Zhu" <wenboz@google.com>, public-webapps@w3.org, "Ian Hickson" <ian@hixie.ch>
Message-ID: <op.v573ozha64w2qv@annevk-macbookpro.local>
On Fri, 09 Dec 2011 02:13:50 +0100, Eric Rescorla <ekr@rtfm.com> wrote:
> On Thu, Dec 8, 2011 at 5:07 PM, Adam Barth <w3c@adambarth.com> wrote:
>> Whatever spec we end up going with should note in its security
>> consideration that the user agent must implement TLS 1.2 or greater to
>> avoid this attack.
>
> I believe it's actually TLS 1.1, since the relevant feature is
> explicit IVs. Or you could allow RC4, I guess.

Are you saying that if responseType is set to "stream" and the server only  
supports TLS 1.0 the connection should fail, but if it is greater than  
that it is okay?

Same-origin requests are always okay? (Though it seems we should just  
require TLS 1.1 there too then to not make matters too confusing.)


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Friday, 9 December 2011 12:59:59 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:49 GMT