- From: Brad Hill <hillbrad@fb.com>
- Date: Wed, 12 Nov 2014 20:27:22 +0000
- To: Mark Watson <watsonm@netflix.com>
- CC: Adam Langley <agl@google.com>, Mike West <mkwst@google.com>, "Frederik Braun" <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> >​I think that is about enabling the server to authenticate the request. >What I think we need is for the UA to verify that the request processed >by the server was the same as the one it sent, so that the ​ >​UA can be sure the traffic is not subject to attacks such as the Verizon >"perma-cookie".​ It's too late at that point, isn't it? You've been identified to the server (and anyone in the middle). I believe the concerns blocking consensus are regarding the privacy, not the integrity, of requests, so not sure this is a productive track to head down. -Brad >
Received on Wednesday, 12 November 2014 20:27:51 UTC