- From: Jim Manico <jim.manico@owasp.org>
- Date: Fri, 23 Jan 2015 19:40:35 -0800
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Yan Zhu <yzhu@yahoo-inc.com>, Mike West <mkwst@google.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, yan zhu <yan@mit.edu>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Dan Veditz <dveditz@mozilla.com>
Brad, I think your comment "somewhat dubious threat model" insinuates where you stand on this and that's cool. I think the risk of response header splitting and similar is also "dubious" and feel the need for a response header pin over-riding a manifest-like pin to be important for developer ease of use, at least. How can we take these ideas and build a more formal and publishable threat model? I am the noob around here, at best, but I'd like to help somehow. Aloha, -- Jim Manico @Manicode (808) 652-3805 > On Jan 23, 2015, at 13:54, Brad Hill <hillbrad@gmail.com> wrote: > > somewhat dubious threat model
Received on Saturday, 24 January 2015 03:41:04 UTC