[chromium-dev] Re: Clear Strict-Transport-Security state checkbox added
Apparently an announcement message is also en-route to the W3C WebApps working group. It's in their archives now.. fyi: Strict Transport Security specification http://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1148.html Please send feedback on the spec to the public-weba...@w3.org list. thanks, =JeffH PayPal InfoSec Team --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Clear Strict-Transport-Security state checkbox added
In case you're still wondering about this topic, a draft of the spec is now public: http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html Apparently an announcement message is also en-route to the W3C WebApps working group. Adam On Thu, Sep 17, 2009 at 5:20 PM, Adam Barth aba...@chromium.org wrote: There's a slight race condition in making various things public. Basically, this is a mechanism a high-security site can use to signal to the browser that it would like strict handling of HTTPS errors. For example, when the site opts into this features, HTTPS certificate errors will be treated as fatal to the connection. More details will be surfacing soon in the form of an standards-track specification. Adam On Thu, Sep 17, 2009 at 4:28 PM, Erik Kay erik...@chromium.org wrote: For those of us who are curious, could someone explain what this does? Erik On Thu, Sep 17, 2009 at 4:20 PM, Finnur Thorarinsson fin...@chromium.org wrote: +1 to what Peter is saying. Like Brett, I have no clue what this checkbox means and think it shouldn't have been added. However, the question I have... is it appropriate to tuck this in with something like deleting the history (like we do with last session, recently closed tabs, autogenerated keywords, etc)? It is hard for me to evaluate that, not knowing what this does... :) -F On Thu, Sep 17, 2009 at 16:09, Evan Martin e...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:54 PM, Brett Wilson bre...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin e...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley a...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) b...@chromium.org wrote: Whoever added this UI, please remove it before I have to when I get back next week. Very well, reverting. Why not #ifdef around it? I fear if you revert you'll never check it in again. If that happens, it's the best possible argument that this is a silly thing to add. No, it's just the argument that it's not the sort of thing people are willing to expend the energy to argue about. With this sort of response I'd be tempted to just give up on the patch. --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Clear Strict-Transport-Security state checkbox added
On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) b...@chromium.org wrote: Whoever added this UI, please remove it before I have to when I get back next week. Very well, reverting. AGL --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Clear Strict-Transport-Security state checkbox added
Thanks! On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley a...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) b...@chromium.org wrote: Whoever added this UI, please remove it before I have to when I get back next week. Very well, reverting. AGL --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Clear Strict-Transport-Security state checkbox added
On Thu, Sep 17, 2009 at 3:31 PM, Adam Langley a...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:03 PM, Peter Kasting pkast...@google.com wrote: It's disappointing to me that this change was made without any bug in the bug database linked, and without any input from a member of the UI team, despite the code reviewer (abarth) explicitly wondering about getting UI review. Glen recently moved this dialog so that's it's now four clicks away from the main UI. That certainly starts to put it in the realm of trival UI changes. Also, the dialog is already concerned with things that our users don't know about (like 'cookies') and it has sensible default if you don't know what it means. I'm more bothered that people who care about their privacy have the ability to control the information we store about them. Advanced users (including me) know what everything means in that dialog except the checkbox, and it's very scary and obscure sounding. I agree with Peter that it should not have gone in. Brett --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Clear Strict-Transport-Security state checkbox added
It clears the list of hosts in StrictTransportSecurityState: // StrictTransportSecurityState // // Tracks which hosts have enabled StrictTransportSecurityState. After a host // enables StrictTransportSecurityState, then we refuse to talk to the host // over HTTP, treat all certificate errors as fatal, and refuse to load any // mixed content. // rsesek / @chromium.org On Thu, Sep 17, 2009 at 7:28 PM, Erik Kay erik...@chromium.org wrote: For those of us who are curious, could someone explain what this does? Erik On Thu, Sep 17, 2009 at 4:20 PM, Finnur Thorarinsson fin...@chromium.org wrote: +1 to what Peter is saying. Like Brett, I have no clue what this checkbox means and think it shouldn't have been added. However, the question I have... is it appropriate to tuck this in with something like deleting the history (like we do with last session, recently closed tabs, autogenerated keywords, etc)? It is hard for me to evaluate that, not knowing what this does... :) -F On Thu, Sep 17, 2009 at 16:09, Evan Martin e...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:54 PM, Brett Wilson bre...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin e...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley a...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) b...@chromium.org wrote: Whoever added this UI, please remove it before I have to when I get back next week. Very well, reverting. Why not #ifdef around it? I fear if you revert you'll never check it in again. If that happens, it's the best possible argument that this is a silly thing to add. No, it's just the argument that it's not the sort of thing people are willing to expend the energy to argue about. With this sort of response I'd be tempted to just give up on the patch. --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Clear Strict-Transport-Security state checkbox added
There's a published paper about it too: http://www.adambarth.com/papers/2008/jackson-barth.pdf On Thu, Sep 17, 2009 at 4:34 PM, Robert Sesek rse...@chromium.org wrote: It clears the list of hosts in StrictTransportSecurityState: // StrictTransportSecurityState // // Tracks which hosts have enabled StrictTransportSecurityState. After a host // enables StrictTransportSecurityState, then we refuse to talk to the host // over HTTP, treat all certificate errors as fatal, and refuse to load any // mixed content. // rsesek / @chromium.org On Thu, Sep 17, 2009 at 7:28 PM, Erik Kay erik...@chromium.org wrote: For those of us who are curious, could someone explain what this does? Erik On Thu, Sep 17, 2009 at 4:20 PM, Finnur Thorarinsson fin...@chromium.org wrote: +1 to what Peter is saying. Like Brett, I have no clue what this checkbox means and think it shouldn't have been added. However, the question I have... is it appropriate to tuck this in with something like deleting the history (like we do with last session, recently closed tabs, autogenerated keywords, etc)? It is hard for me to evaluate that, not knowing what this does... :) -F On Thu, Sep 17, 2009 at 16:09, Evan Martin e...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:54 PM, Brett Wilson bre...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin e...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley a...@chromium.org wrote: On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) b...@chromium.org wrote: Whoever added this UI, please remove it before I have to when I get back next week. Very well, reverting. Why not #ifdef around it? I fear if you revert you'll never check it in again. If that happens, it's the best possible argument that this is a silly thing to add. No, it's just the argument that it's not the sort of thing people are willing to expend the energy to argue about. With this sort of response I'd be tempted to just give up on the patch. --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
