W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: IETF seeking feedback on proposed "Token Binding" Working Group

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 11 Feb 2015 13:19:15 +0100
Message-ID: <CADnb78igz2i_Wz368GUU0Mx+kJskEMiS-v6_vAT6F_6m2DGYiw@mail.gmail.com>
To: Arthur Barstow <art.barstow@gmail.com>
Cc: public-webapps <public-webapps@w3.org>, unbearable@ietf.org, WebAppSec WG <public-webappsec@w3.org>
On Wed, Feb 11, 2015 at 1:10 PM, Arthur Barstow <art.barstow@gmail.com> wrote:
> WebApps - please note the draft spec includes a new XHR property
> "withRefererTokenBindingID"
> <https://tools.ietf.org/html/draft-balfanz-https-token-binding-00#section-3.4>.
> If anyone has feedback about the proposal, please send it to the
> unbearable @ ietf.org list. However, comments related to the XHR aspect
> should be Cc/Bcc to public-webapps.

Relatively recently we decided not to extend XMLHttpRequest further
and prioritize fetch().

Can we expect a more concrete proposal to revise either or is this it?

One problem with this proposal is that it does not use the Sec-*
convention for headers so the header can be spoofed...

Received on Wednesday, 11 February 2015 12:19:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC