- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 11 Jan 2018 09:56:47 +1100
- To: Adam Roach <adam@nostrum.com>
- Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-origin-frame@ietf.org, Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>
> On 11 Jan 2018, at 7:59 am, Mark Nottingham <mnot@mnot.net> wrote: > >>> That said, I would agree with an argument that we should explicitly say that they aren't supported, so as not to confuse. >> >> Yes, please do that. It would also (in my opinion) be worthwhile mentioning that using ORIGIN is incompatible with the use of wildcard certs to indicate authority over wildcarded origins; but, if you don't want to, I'm not going to press the point. > > Will see what I can do. """ Note that the ORIGIN frame does not support wildcard names (e.g., "*.example.com") in Origin-Entry. As a result, sending ORIGIN when a wildcard certificate in use effectively disables any origins that are not explicitly listed in the ORIGIN frame(s). """ Seem reasonable? -- Mark Nottingham https://www.mnot.net/
Received on Wednesday, 10 January 2018 22:57:17 UTC