- From: Ilya Grigorik <notifications@github.com>
- Date: Fri, 07 Aug 2015 14:14:46 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Friday, 7 August 2015 21:15:16 UTC
@f0zi no, there is a big difference here. With HPKP only the server responsible for particular origin is able to assert what pins are valid; a different origin cannot and should not be able to enforce arbitrary rules on other origins. > Also consider the case where the app is actually deployed at the client in a secure way, e.g. in a signed installer so it does not have that problem. The fingerprint it would use for the discovery server is in that package. Packaged apps are a separate beast, they're subject to particular deployment model, etc. Out of scope. origin A does not and cannot assert anything about validity of other origin pins --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/98#issuecomment-128835543
Received on Friday, 7 August 2015 21:15:16 UTC