- From: Mike West <mkwst@google.com>
- Date: Tue, 28 Oct 2014 17:34:33 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAKXHy=d4zsuejqq4+N6UZuyNvgZV9cKOhsw3Uxd=0v_UUbcQgQ@mail.gmail.com>
On Tue, Oct 28, 2014 at 5:20 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, Oct 28, 2014 at 5:09 PM, Mike West <mkwst@google.com> wrote: > > That said, one nit: Chrome has no need to distinguish between > "deprecated" > > and "weak", but other browsers might. > > Would be interesting to hear about. If we want this to converge at > some point it would be good to get some agreement on this. > As we've discussed before, Chrome just blocks connections it considers weak. Things like SSL3 and SHA-1 are lumped into "deprecated". Opera, I believe, is going to end up in the same boat. I suspect Firefox has a similar model, I suspect Safari's model is quite different, and I have no idea what IE does. :) > Also, a synthetic Response can take its TLS state from the environment > it is created in, right? (Assuming environments get a TLS state as > well.) > I think we'd do the same thing there that we do for blobs. If we trust the environment in which a response is synthesized, I think we can/should trust the synthesized response as well. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 28 October 2014 16:35:22 UTC