- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 3 Sep 2014 11:14:31 +0200
- To: Chris Palmer <palmer@google.com>
- Cc: Jeffrey Yasskin <jyasskin@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Sep 2, 2014 at 11:17 PM, Chris Palmer <palmer@google.com> wrote: >>Some engines might >> also have the certificate pinned to the origin so for TLS-origins an >> additional comparison is made other than scheme/host/port. > > I don't know of any JavaScript execution context that treats > key-pinned TLS as being a different origin than non-pinned; or > treating pinned-but-different-keys as distinct origins. > > Do you mean to say that you do know of such JS execution contexts? I was not talking about pinned certificates, but associating the certificate with the origin. I'm not sure if Gecko is doing it, but it's a thing we were exploring. -- http://annevankesteren.nl/
Received on Wednesday, 3 September 2014 09:14:57 UTC