- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 11 Feb 2015 13:19:15 +0100
- To: Arthur Barstow <art.barstow@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>, unbearable@ietf.org, WebAppSec WG <public-webappsec@w3.org>
On Wed, Feb 11, 2015 at 1:10 PM, Arthur Barstow <art.barstow@gmail.com> wrote: > WebApps - please note the draft spec includes a new XHR property > "withRefererTokenBindingID" > <https://tools.ietf.org/html/draft-balfanz-https-token-binding-00#section-3.4>. > > If anyone has feedback about the proposal, please send it to the > unbearable @ ietf.org list. However, comments related to the XHR aspect > should be Cc/Bcc to public-webapps. Relatively recently we decided not to extend XMLHttpRequest further and prioritize fetch(). Can we expect a more concrete proposal to revise either or is this it? One problem with this proposal is that it does not use the Sec-* convention for headers so the header can be spoofed... -- https://annevankesteren.nl/
Received on Wednesday, 11 February 2015 12:19:38 UTC