W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Defining secure-enough origins.

From: Chris Palmer <palmer@google.com>
Date: Tue, 2 Sep 2014 14:17:22 -0700
Message-ID: <CAOuvq22RrKbwrGnSiKQKX-7vN0G75A0YOMzSpHcwVvDuegoUig@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Jeffrey Yasskin <jyasskin@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Aug 31, 2014 at 10:02 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

>Some engines might
> also have the certificate pinned to the origin so for TLS-origins an
> additional comparison is made other than scheme/host/port.

I don't know of any JavaScript execution context that treats
key-pinned TLS as being a different origin than non-pinned; or
treating pinned-but-different-keys as distinct origins.

Do you mean to say that you do know of such JS execution contexts?
Received on Tuesday, 2 September 2014 21:17:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC