W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Is origin an authenticated origin?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 23 Oct 2014 17:06:30 +0200
Message-ID: <CADnb78ihYx_md3b31yPZd_uV2EjzzkNKQrs7foDxXLnO6TOi5g@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 23, 2014 at 4:24 PM, Mike West <mkwst@google.com> wrote:
> 1. We're not blocking all requests from SHA-1 laden servers, just those that
> are subresources of non-SHA-1-laden HTTPS documents. So we need to have
> mixed content checking logic down in Blink somewhere; we can't just blindly
> kill the request entirely.

So I guess whether something is weakly authenticated should first be
exposed on a response. And then propagated by the navigate and run a
worker algorithms somehow for environment settings objects.

Received on Thursday, 23 October 2014 15:06:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC