- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 1 Nov 2018 16:08:42 -0700
- To: Frederik Braun <fbraun@mozilla.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Thursday, 1 November 2018 23:09:18 UTC
On Fri, Oct 26, 2018 at 1:41 AM Frederik Braun <fbraun@mozilla.com> wrote: > Should "cache" include TLS session information? > If not, should there be some sort of security-state flag for the > Clear-Site-Data header which removes existing security state (e.g.,TLS > session tickets, HPKP/HSTS values set through headers (assuming browser > support)? > The spec already has the "cookies" parameter clear TLS Channel ID and bound tokens. https://w3c.github.io/webappsec-clear-site-data/#clear-cookies Are TLS session tickets more like that or more like cache? Even if they aren't really auth-like things would it be less confusing to lump all the TLS-tracking things together? Do we expect users of Clear-site-data to pick and choose types, or are they just going to use "*" in practice? -Dan Veditz
Received on Thursday, 1 November 2018 23:09:18 UTC