- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 20 Jan 2017 17:08:49 +1300
- To: chaals@yandex-team.ru
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Hey Chaals, In case you missed the suggestion at the last meeting from Vlad, he suggested that this only be offered for use with fetches with a credentials-mode (See https://fetch.spec.whatwg.org/#concept-request-credentials-mode) of "omit". That is, don't make it possible for the server to use ambient authority (including cookies) to customize the request. I don't think that completely removes the concern, but it helps. I don't think that having tools for separating "possibly under attacker influence" and "secret" is going to solve the issue. That's already possible with existing compression techniques; the concern is over the usability of those tools and the ability to correctly identify data as belonging to each category. On 20 January 2017 at 16:48, <chaals@yandex-team.ru> wrote: > Additionally, since this is a new powerful feature, there is no reason not to restrict it to secure connections. FWIW, the security concerns ONLY apply to secure connections, so you needn't worry about this bit. If you are going to spray your secrets all over the internet, traffic analysis isn't really your most pressing concern.
Received on Friday, 20 January 2017 04:09:22 UTC