On Fri, Sep 18, 2009 at 10:30 PM, Jonas Sicking jo...@sicking.cc wrote:
I wonder for example if the client when receiving a
Strict-Transport-Security header should make a request to the root url
of the same origin to verify that the server indeed wants to opt in to
STS.
That's a good idea.
Comments below.
Web user agents MUST prevent web content from obscuring, hiding, or disabling
security user interfaces.
This is impossible in a multi-window web user agent in an overlapping
window manager (e.g., every major browser on every major
general-purpose operating system).
Web user
On Fri, Sep 18, 2009 at 10:54 PM, Adam Barth w...@adambarth.com wrote:
On Fri, Sep 18, 2009 at 10:30 PM, Jonas Sicking jo...@sicking.cc wrote:
I wonder for example if the client when receiving a
Strict-Transport-Security header should make a request to the root url
of the same origin to verify
On Sat, 19 Sep 2009 07:55:23 +0200, Garrett Smith dhtmlkitc...@gmail.com
wrote:
In looking at the credits, I noticed all of:
Bjoern Hoehrmann, Björn Hoehrmann, Björn Höhrmann, Bjoern H�hrmann
I am not sure if there are two similar BH, as Björn and Bjoern.
Entities for the characters
On Sat, Sep 19, 2009 at 1:46 AM, Jonas Sicking jo...@sicking.cc wrote:
(am I understanding it correctly that http requests can't opt in to STS?)
Well, they opt in by redirecting to HTTPS and then sending the header
over HTTPS. :)
One virtue of your algorithm is that there are no extra requests
We recently landed an implementation of server-sent events in WebKit
(see http://trac.webkit.org/changeset/47323).
As an implementor of the specification, I would like to share my
thoughts on a couple of things that could benefit from clarification,
and a few possible issues.
When parsing an
On Fri, 18 Sep 2009 11:37:24 -0400, Per-Erik Brodin
per-erik.bro...@ericsson.com wrote:
When parsing an event stream, allowing carriage return, carriage return
line feed, and line feed to denote line endings introduces unnecessary
ambiguity into the spec. For example, the sequence \r\r\n\n
Morning,
This sounds reasonable. Returning unauthorized and 0 when the value is
unauthorized sounds good to me.
Should the methods perhaps be called getSystemIdleState() and
getSystemIdleTimeInSeconds()?
Thanks,
David.
On Thu, Sep 17, 2009 at 11:48 PM, Michael Nordman micha...@google.comwrote:
forwarding on bechalf of AndyS..
From: Steingruebl, Andy asteingru...@paypal.com
Sent: Saturday, September 19, 2009 8:25 AM
To: Jonas Sicking; =JeffH
Cc: public-webapps@w3.org; Hodges, Jeff; Adam Barth; Collin Jackson
Subject: RE: fyi: Strict Transport Security specification
-Original