- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 8 Oct 2019 10:17:51 +1100
- To: Mike West <mkwst@google.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, John Wilander <wilander@apple.com>, Jeff Hodges <jdhodges@google.com>
4 November; see <https://datatracker.ietf.org/meeting/106/important-dates/>. Cheers, > On 7 Oct 2019, at 10:47 pm, Mike West <mkwst@google.com> wrote: > > Ok, thanks Mark. I'll aim to have an ID up by whenever the Singapore cutoff turns out to be. > > -mike > > > On Thu, Oct 3, 2019 at 7:59 AM Mark Nottingham <mnot@mnot.net> wrote: > Hey Mike, > > I wouldn't treat the silence as indicative of disinterest. > > Would you be willing to write up a short draft explaining your proposal and submit it for discussion in Singapore (presenting remotely if necessary)? Even if you decide not to do it here, I suspect you'll be able to reuse the markdown... > > Cheers, > > > > On 1 Oct 2019, at 11:47 pm, Mike West <mkwst@google.com> wrote: > > > > Ping! > > > > If this group doesn't feel any particular ownership, I'm happy to try to define some web browsery behavior in W3C/WHATWG. If y'all would prefer an RFC6797bis, great! > > > > -mike > > > > > > On Wed, Sep 18, 2019 at 3:10 AM Mike West <mkwst@google.com> wrote: > > A year or two ago, +John Wilander and others at Apple proposed some changes to HSTS in https://webkit.org/blog/8146/protecting-against-hsts-abuse/ that went some way towards mitigating the abuses documented in Section 14.9 of RFC6797. Given some shifts in the way we're thinking about some other concepts, I've written up a short proposal at https://github.com/mikewest/strict-navigation-security that builds upon and simplifies Apple's proposal. We discussed it briefly at yesterday's webappsec meeting, and there seems to be interest in doing something in this space. > > > > +Mark Nottingham and +Jeff Hodges suggested that I loop this group into that conversation, as the original websec group has disbanded. Is it a topic this group would like to pick up? If not, would y'all be comfortable with us defining some web browser behavior/Fetch integration in webappsec that constrains the existing RFC? > > > > Thanks! > > > > -mike > > -- > Mark Nottingham https://www.mnot.net/ > -- Mark Nottingham https://www.mnot.net/
Received on Monday, 7 October 2019 23:18:26 UTC