- From: Andrei Popov <Andrei.Popov@microsoft.com>
- Date: Wed, 11 Feb 2015 18:41:53 +0000
- To: Anne van Kesteren <annevk@annevk.nl>, Arthur Barstow <art.barstow@gmail.com>
- CC: public-webapps <public-webapps@w3.org>, "unbearable@ietf.org" <unbearable@ietf.org>, WebAppSec WG <public-webappsec@w3.org>
Hi Anne, This is part of a starting point proposal for the new working group; we expect the documents to change. It's a great time to suggest revisions; please feel free to suggest your text. I've put the initial I-Ds on github for easier editing: https://github.com/TokenBinding/Internet-Drafts Cheers, Andrei -----Original Message----- From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Anne van Kesteren Sent: Wednesday, February 11, 2015 4:19 AM To: Arthur Barstow Cc: public-webapps; unbearable@ietf.org; WebAppSec WG Subject: Re: [Unbearable] IETF seeking feedback on proposed "Token Binding" Working Group On Wed, Feb 11, 2015 at 1:10 PM, Arthur Barstow <art.barstow@gmail.com> wrote: > WebApps - please note the draft spec includes a new XHR property > "withRefererTokenBindingID" > <https://tools.ietf.org/html/draft-balfanz-https-token-binding-00#section-3.4>. > > If anyone has feedback about the proposal, please send it to the > unbearable @ ietf.org list. However, comments related to the XHR > aspect should be Cc/Bcc to public-webapps. Relatively recently we decided not to extend XMLHttpRequest further and prioritize fetch(). Can we expect a more concrete proposal to revise either or is this it? One problem with this proposal is that it does not use the Sec-* convention for headers so the header can be spoofed... -- https://annevankesteren.nl/ _______________________________________________ Unbearable mailing list Unbearable@ietf.org https://www.ietf.org/mailman/listinfo/unbearable
Received on Thursday, 12 February 2015 17:40:54 UTC