- From: Chris Palmer <palmer@google.com>
- Date: Mon, 16 Jun 2014 11:33:33 -0700
- To: Brian Smith <brian@briansmith.org>
- Cc: Brad Hill <hillbrad@gmail.com>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jun 16, 2014 at 2:41 AM, Brian Smith <brian@briansmith.org> wrote: > I don't think that consolidation is happening; look at Public-Key-Pins and > HSTS and CORS and many other things that are in separate header fields. FWIW, I tried at first to have HPKP be an extension of HSTS, but the IETF Working Group didn't want that. I still think it would have been better if HPKP had been an extension of HSTS. Generally I strongly support the consolidation for the cognitive load reason. However, note that there was a lot of concern about header bloat (e.g. a large set of HPKP pins could be 200 – 400 bytes, and people were freaking out). I never bought into the bloat idea — I'm a lot more concerned about all that plain text that nobody remembers to gzip, and all the 1 MiB JPEGs that have height and width set to 400px in HTML — but there you have it. Expect pushback on that front. Another solution floated was to have the security policy expressed as the resource retrieved from a well-known URI, rather than mashing it in headers. Then it could be cached and pre-fetched.
Received on Monday, 16 June 2014 18:34:00 UTC