Re: [whatwg/fetch] Update Fetch to support Token Binding. (#325)

vanupam commented on this pull request.



> @@ -2325,6 +2409,251 @@ X-Content-Type-Options           = "nosniff" ; case-insensitive</pre>
 <a for=request/destination>script-like</a> or "<code>style</code>" are considered as any exploits
 pertain to them. Also, considering "<code>image</code>" was not compatible with deployed content.
 
+<h3 id=token-binding>Token Binding</h3>
+
+<p>In order to protect security tokens like HTTP cookies and OAuth tokens, user agents and servers
+can use a technique known as <dfn export id=concept-token-binding>Token Binding</dfn> to
+cryptographically associate a given token with a secret
+(a <dfn export id=concept-token-binding-key>token-binding key</dfn>) known only to a specific
+user agent. This association mitigates the risk that attackers can steal the token and use it
+themselves, as they will not be able to easily replicate the user agent's secret,
+and therefore will be unable to replicate the cryptographic binding of the token.
+
+<p>Details are described in TOKBIND-NEGOTIATION, TOKBIND-PROTOCOL and
+TOKBIND-HTTPS and integration is defined here.
+[[TOKBIND-NEGOTIATION]], [[TOKBIND-PROTOCOL]], and [[TOKBIND-HTTPS]].

Moved.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/325#discussion_r178889706

Received on Tuesday, 3 April 2018 16:46:52 UTC