- From: Brad Hill <hillbrad@gmail.com>
- Date: Thu, 20 Mar 2014 18:58:44 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Wendy Seltzer <wseltzer@w3.org>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, "Hill, Brad" <bhill@paypal.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8hrO5K2OMfbhnNKFAbX1a1t3v36t8N0bA8N+ns+hrj8dw@mail.gmail.com>
Thanks for the history, Dan. We also have had a good deal of pre-publication attention from Mark Nottingham, the HTTP 2 chair at IETF and one of the other formal IETF/W3C liaison people, who has not raised concerns with the venue. This is about policies in browsers for including resources in the DOM, post-retrieval, so it not traditionally in the IETF wheelhouse. Apologies about some missing references. It's a first draft. With regard to Fetch, the most active development there is happening at WHATWG. We in WebAppSec coordinate with Anne Van Kesteren pretty regularly on such things as, e.g. adding CSP as parameters to the Fetch algorithms. Typically we have a history of working out the security specific issues and shape of things in the venue with the most relevant expertise and charter, and figuring out the details of integration when it's more clear what it should do. I think there will likely be some interactions possible or necessary here with ServiceWorkers, as well. But the implementation could also stand alone, as does CSP, in terms of rules for manipulating the DOM after Fetch has completed. (the exploration of SRI as a means for content-addressable-storage aside) The primary purpose of FPWD is to give notice to the community that we have something ready for review and comment. It's not by any means a claim that we are done. We appreciate all feedback to the public list. -Brad Hill On Thu, Mar 20, 2014 at 6:34 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 3/20/2014 7:11 AM, Wendy Seltzer wrote: > > On 03/20/2014 09:32 AM, Henry S. Thompson wrote: > >> So I'm curious, perhaps even concerned, about the overlap between this > >> work and the IETF. Is the WG, or are you personally, regularly in > >> touch with the right people at the IETF to be sure you're not stepping > >> on toes over there, with respect to WebAppSec in general, and this > >> document's proposals in particular? > > We once tried to get this concept done in the IETF, in the form of "link > fingerprints". > http://www.gerv.net/security/link-fingerprints/ > > Mozilla even had an experimental implementation > https://bugzilla.mozilla.org/show_bug.cgi?id=377245 > > It got shut down in the IETF, with the suggestion that it didn't belong > in URLs but should rather be done as document metadata in the W3C. The > concept took a vacation for half a decade but that's where we now are: > in the W3C at the request of the IETF. > > -Dan Veditz > >
Received on Friday, 21 March 2014 01:59:13 UTC