W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Defining secure-enough origins.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 3 Sep 2014 11:14:31 +0200
Message-ID: <CADnb78jXxNuwnFJRk=bh0d7bnVmpQWoueHq2wR_Ld6vJY97qRg@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: Jeffrey Yasskin <jyasskin@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Sep 2, 2014 at 11:17 PM, Chris Palmer <palmer@google.com> wrote:
>>Some engines might
>> also have the certificate pinned to the origin so for TLS-origins an
>> additional comparison is made other than scheme/host/port.
>
> I don't know of any JavaScript execution context that treats
> key-pinned TLS as being a different origin than non-pinned; or
> treating pinned-but-different-keys as distinct origins.
>
> Do you mean to say that you do know of such JS execution contexts?

I was not talking about pinned certificates, but associating the
certificate with the origin. I'm not sure if Gecko is doing it, but
it's a thing we were exploring.


-- 
http://annevankesteren.nl/
Received on Wednesday, 3 September 2014 09:14:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC