- From: Anne van Kesteren <notifications@github.com>
- Date: Fri, 21 Apr 2017 01:46:53 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 21 April 2017 08:47:27 UTC
Since I don't know of a better place to put it and don't want to continue having the exploration in https://github.com/bifurcation/expect-ct/issues/18 which is really about something else, this seems like a good a place as any. @sleevi pointed out that OSCP is only done by Firefox directly and other browsers use the OS stack. And only a name-constrained subCA is able to make third-party requests (requests to arbitrary endpoints, determined solely by that party). This issue is interesting to figure out where the SOP line is drawn as that can tell us whether we are too strict elsewhere or accidentally tell servers they can rely on certain invariants that are actually false, etc. I think my main issue is that even if it's not the browsers now (except for Firefox), it could be the browser tomorrow. After all, all the pieces of the OS needed to make a browser are part of the browser ecosystem and have to be considered. This might be more self-evident with systems such as Chrome OS. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/530
Received on Friday, 21 April 2017 08:47:27 UTC