- From: sleevi <notifications@github.com>
- Date: Tue, 11 Aug 2015 11:02:14 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Tuesday, 11 August 2015 18:02:49 UTC
Oh, and since I didn't address the counter-proposal (surface the details to the app), I'll just note * By the time it's surfaced to the App, it's too late (from a security perspective), because a request will have already gone through. * Even if that were solved, it'd be an infoleak. Certs can/do contain PII, especially if (for example) they're chaining to a local trust anchor (this is the `private` flag / `strict` mode suggested). A user in charge of their machine necessarily trumps the needs of the website, whereas cert pinning that allows a site to block such self-MITM violates that priority. No matter the views of the site (which may not necessarily be the site being accessed, to be cleared), the user should be allowed to freely operate their machine, which may include MITM'ing themselves for debugging (e.g. Fiddler) or for 'security' (e.g. antivirus). --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/98#issuecomment-129995602
Received on Tuesday, 11 August 2015 18:02:49 UTC