W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] Escaping mixed-content blocking for video distribution

From: Brad Hill <hillbrad@fb.com>
Date: Wed, 12 Nov 2014 20:27:22 +0000
To: Mark Watson <watsonm@netflix.com>
CC: Adam Langley <agl@google.com>, Mike West <mkwst@google.com>, "Frederik Braun" <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D089022A.DF7%hillbrad@fb.com>
>
>​I think that is about enabling the server to authenticate the request.
>What I think we need is for the UA to verify that the request processed
>by the server was the same as the one it sent, so that the ​
>​UA can be sure the traffic is not subject to attacks such as the Verizon
>"perma-cookie".​

It's too late at that point, isn't it? You've been identified to the
server (and anyone in the middle).

I believe the concerns blocking consensus are regarding the privacy, not
the integrity, of requests, so not sure this is a productive track to head
down.

-Brad
> 

Received on Wednesday, 12 November 2014 20:27:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC