- From: Fozi <notifications@github.com>
- Date: Fri, 31 Jul 2015 08:27:10 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/98/126724724@github.com>
Thanks, I missed that. So let me add a use case:
A webapp is using distributed services and wants to protect the user against MITM attacks.
- On startup, it gets a configuration document from a discovery server using per call certificate pinning:
```fetch({ url: "https://example.com/.well-known/appconfig", certs: [ "<hardcoded discovery fingerprint>" ])```
- From this document it gets the fingerprints for the servers it communicates with and registers them globally:
```fetch.addFingerprints(config.fingerprints) ```
- At this point all HTTPS requests to 3rd party servers will be checked against the fingerprints from the discovery document.
This is a rather generic use case that could be added to any app that is using fetch e.g. for authentication, CDN, 3rd party services, etc. to add certificate pinning without changing the way it does web requests.
As the certificates that have been used for HTTPS are not exposed to the client there is no way of achieving this with the current interface.
---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/98#issuecomment-126724724
Received on Friday, 31 July 2015 15:27:49 UTC