- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 12 Nov 2014 20:27:03 +0100
- To: Brad Hill <hillbrad@fb.com>
- Cc: Mark Watson <watsonm@netflix.com>, Adam Langley <agl@google.com>, Mike West <mkwst@google.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 12, 2014 at 8:22 PM, Brad Hill <hillbrad@fb.com> wrote: > There is work going on in the OAuth WG on authenticating HTTP requests: > > http://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-00 > > Have you looked at this to see if it is suitable for your use case? That is not going to work for him. He needs something that sidelines mixed content protection in browsers. That way Netflix can keep pretending TLS is not required by using it for the top-level browsing context while fetching all data without TLS. -- https://annevankesteren.nl/
Received on Wednesday, 12 November 2014 19:27:30 UTC