W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] Escaping mixed-content blocking for video distribution

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 12 Nov 2014 20:27:03 +0100
Message-ID: <CADnb78j4iF8nqm5CTChAxcEtju9k1zh5rAVFafcvnnLtHHxrjg@mail.gmail.com>
To: Brad Hill <hillbrad@fb.com>
Cc: Mark Watson <watsonm@netflix.com>, Adam Langley <agl@google.com>, Mike West <mkwst@google.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 12, 2014 at 8:22 PM, Brad Hill <hillbrad@fb.com> wrote:
> There is work going on in the OAuth WG on authenticating HTTP requests:
> http://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-00
>  Have you looked at this to see if it is suitable for your use case?

That is not going to work for him. He needs something that sidelines
mixed content protection in browsers. That way Netflix can keep
pretending TLS is not required by using it for the top-level browsing
context while fetching all data without TLS.

Received on Wednesday, 12 November 2014 19:27:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC