W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2018

Re: Proposal: https://example.com/.well-known/modify-credentials

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 4 Apr 2018 13:39:26 +1000
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <62BFE82E-65AF-4445-A31D-7194E6D0C6F3@mnot.net>
To: John Wilander <wilander@apple.com>

> On 4 Apr 2018, at 1:22 pm, John Wilander <wilander@apple.com> wrote:
> We don’t want to cache or save specific locations since they may get stale, stateful things tend to become tracking vectors, and an HTML element sounds like a phishing injection vector.

Fair enough.

> We believe the three options we bring up work for most developers – serve the page straight from the URL, make an HTTP redirect, or make a client-side redirect. You don’t think so?

Not at all, just exploring the space a bit. I think your arguments make sense, and the only potential downside I see is an origin that has multiple adminstrative domains -- which is a controversial topic itself, but does still pop up once in a while. Don't think it's a showstopper.

> Are well-known URLs hard to support in general?

Not particularly.


Mark Nottingham   https://www.mnot.net/
Received on Wednesday, 4 April 2018 03:39:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:03 UTC