- From: Frederik Braun <fbraun@mozilla.com>
- Date: Fri, 23 Jan 2015 18:01:59 +0100
- To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, yan zhu <yan@mit.edu>
- CC: Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
With HPKP, HSTS, CSP-Pinning and all these headers, I feel like we'd rather need a Site Settings spec. Wait, something like a manifest! Oh.. :P On 23.01.2015 16:22, Mike West wrote: > TL;DR: Moar email. Feedback > on https://w3c.github.io/webappsec/specs/csp-pinning/ would be ever so > welcome. > > I've had a draft of a pinning mechanism for CSP sitting on my hard drive > for a while now; Yan kicked my butt into gear to get it cleaned up and > out the door for discussion. It's nowhere near complete, and is pretty > hand-wavey in a number of places, but I think the building blocks are > there for something that could be pretty useful for sites that are > worried about CSP's per-resource delivery mechanism. Rather than forcing > developers to "catch them all", we can help developers pin a minimal > policy for a host (and its subdomains), and layer more granular policies > on top. > > Feedback would be quite appreciated. If there's enough interest (and > folks don't think the idea is insane), I'll clean up the doc a bit more > and see if we can push it out as a FPWD. > > Thanks! > > +Chris and Ryan, since I stole ideas from PKP and HSTS. Hopefully I only > stole the good ones. > > -- > Mike West <mkwst@google.com <mailto:mkwst@google.com>>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth > Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 23 January 2015 17:02:27 UTC