Re: [integrity]: Origin confusion attacks. from Brad Hill on 2014-01-09 (public-webappsec@w3.org from January 2014)

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 9 Jan 2014 15:33:27 -0800
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, btoews@github.com, Joel Weinberger <jww@google.com>, Frederik Braun <fbraun@mozilla.com>
Message-ID: <CAEeYn8jWbd7-dDXTz_emOL3FFeVkGw_c87K_yYSzJgjK7jHqvA@mail.gmail.com>

We've had about 24 hours of discussion.

Yes, with some of the very smartest minds on the topic contributing, but
maybe it's still too soon to just give up?  :)

How about we start by marking it as "at risk" in the FPWD?

On Thu, Jan 9, 2014 at 3:25 PM, Devdatta Akhawe <dev.akhawe@gmail.com>wrote:

> > I don't have a good mitigation idea off the top of my head, but I agree
> it's
> > something we should worry about.
>
> I view the integrity-based cache more of a "good-to-have" feature
> rather than important to the main use case of the spec. Maybe just
> removing this should also be on the table as a possibility? (in case
> we can't come up with a clean solution)
>
> --dev
>
>

Received on Thursday, 9 January 2014 23:33:55 UTC