Re: [whatwg/fetch] More CORB-protected MIME types - adding protected types one-by-one. (#860) from Lukasz Anforowicz on 2020-01-17 (public-webapps-github@w3.org from January 2020)

From: Lukasz Anforowicz <notifications@github.com>
Date: Fri, 17 Jan 2020 11:21:40 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/860/575760463@github.com>

@mozdevcontrib, could you clarify why it is desirable to prevent disclosing `application/pgp-signature` resources?  An example scenario might help.

I understand that in `multipart/signed` the unencrypted, signed body might contain some sensitive/personal information that might benefit from CORB protection.  OTOH, I am not sure why `application/pgp-signature` might be sensitive - AFAIU it reveals very limited information:
- the hash of the signed document (when signing a binary or text document - signature type 0x00 or 0x01)
- user id and public key (e.g. for 0x12 signature type: Casual certification of a User ID and Public-Key packet
- some signature metadata (like signature creation time).  

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/860#issuecomment-575760463

Received on Friday, 17 January 2020 19:21:42 UTC