W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2020

Re: Migrating "A Well-Known URL for Changing Passwords" to WebAppSec from WICG

From: Theresa O'Connor <hober@apple.com>
Date: Fri, 12 Jun 2020 10:38:06 -0700
To: public-webappsec@w3.org
Cc: rmondello@apple.com
Message-id: <m27dwcrxq9.fsf@toconnor-imac-18-3.lan>
Hi all,

Mike wrote:

> This seems reasonable to me, and is consistent with our conversation
> on the topic at TPAC last year
> (https://github.com/w3c/webappsec/blob/master/meetings/2019/2019-09-TPAC-minutes.md#well-knownchange-password).
>
> I'd be comfortable adopting this specification, and publishing it as a
> FPWD. Let's give the working group's members a week to object. If no
> objections come in by May 12th, I think we could comfortably declare
> consensus.

It's been a month, and there haven't been objections. Before we move it
over, though, I wanted to additionally propose that we also move over a
companion document in the same repo, "Detecting the reliability of HTTP
status codes":

https://wicg.github.io/change-password-url/response-code-reliability.html

In order to most effectively make use of Change Password URLs,
implementers need to know if the web server is configured to correctly
serve 404 responses for resources that aren't there. They can use the
technique described in this document to do that. Safari and Chrome are
both pursuing this approach; see Dominic Battre's comment here:

https://github.com/WICG/change-password-url/issues/16#issuecomment-643314820

While distinct from each other, I think these two specs will sink or
swim together, so I'd like to keep them together in the same CG or WG.


Tess
Received on Friday, 12 June 2020 17:38:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 12 June 2020 17:38:23 UTC