W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

RE: [Unbearable] IETF seeking feedback on proposed "Token Binding" Working Group

From: Andrei Popov <Andrei.Popov@microsoft.com>
Date: Wed, 11 Feb 2015 18:41:53 +0000
To: Anne van Kesteren <annevk@annevk.nl>, Arthur Barstow <art.barstow@gmail.com>
CC: public-webapps <public-webapps@w3.org>, "unbearable@ietf.org" <unbearable@ietf.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <BN3PR0301MB1250C1310A0A969B339FF81C8C250@BN3PR0301MB1250.namprd03.prod.outlook.com>
Hi Anne,

This is part of a starting point proposal for the new working group; we expect the documents to change. It's a great time to suggest revisions; please feel free to suggest your text. I've put the initial I-Ds on github for easier editing: https://github.com/TokenBinding/Internet-Drafts



-----Original Message-----
From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Anne van Kesteren
Sent: Wednesday, February 11, 2015 4:19 AM
To: Arthur Barstow
Cc: public-webapps; unbearable@ietf.org; WebAppSec WG
Subject: Re: [Unbearable] IETF seeking feedback on proposed "Token Binding" Working Group

On Wed, Feb 11, 2015 at 1:10 PM, Arthur Barstow <art.barstow@gmail.com> wrote:
> WebApps - please note the draft spec includes a new XHR property 
> "withRefererTokenBindingID"
> <https://tools.ietf.org/html/draft-balfanz-https-token-binding-00#section-3.4>.
> If anyone has feedback about the proposal, please send it to the 
> unbearable @ ietf.org list. However, comments related to the XHR 
> aspect should be Cc/Bcc to public-webapps.

Relatively recently we decided not to extend XMLHttpRequest further and prioritize fetch().

Can we expect a more concrete proposal to revise either or is this it?

One problem with this proposal is that it does not use the Sec-* convention for headers so the header can be spoofed...


Unbearable mailing list
Received on Thursday, 12 February 2015 17:40:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC