Henry,
In my opinion as Chair, there has been broad consensus in the
WebAppSec WG that one of the basic design constraints of
CORS is that introducing CORS features into browsers not create
new security vulnerabilities for existing network deployments.
What you are proposing would have that
This all seems out of scope for the work WebAppSec is chartered for.
Henry, can you please raise this in another venue.
-Ekr
[As WG Chair]
On Tue, Jul 17, 2012 at 1:15 PM, Henry Story henry.st...@bblfish.net wrote:
On 17 Jul 2012, at 21:32, Dirk Pranke wrote:
On Mon, Jul 16, 2012 at 11:22
Jul 2012, at 23:16, Eric Rescorla wrote:
This all seems out of scope for the work WebAppSec is chartered for.
All of it? Really?
Let me look at the charter of the working group. Areas of scope for this
working group include:
[[
Secure Mashups: Several mechanisms for secure resource
On Tue, Dec 20, 2011 at 9:36 AM, Anne van Kesteren ann...@opera.com wrote:
On Sun, 18 Dec 2011 13:12:57 +0100, Eric Rescorla e...@rtfm.com wrote:
Sorry, I forgot to mention the 1/n+1 splitting countermeasure in my
response.
With that said, this isn't TLS 1.1, but rather a specific, more
On Tue, Dec 20, 2011 at 12:11 PM, Anne van Kesteren ann...@opera.com wrote:
On Tue, 20 Dec 2011 21:06:28 +0100, Eric Rescorla e...@rtfm.com wrote:
On Tue, Dec 20, 2011 at 9:36 AM, Anne van Kesteren ann...@opera.com
wrote:
Surely this should be patched in the base
specification rather than
On Tue, Dec 20, 2011 at 2:47 PM, Anne van Kesteren ann...@opera.com wrote:
On Tue, 20 Dec 2011 22:55:40 +0100, Eric Rescorla e...@rtfm.com wrote:
That isn't to say that the browser stacks aren't adding 1/n+1
splitting. NSS, for instance, has such a fix. However, I don't think
there's anything
On Sat, Dec 17, 2011 at 6:11 AM, Anne van Kesteren ann...@opera.com wrote:
On Fri, 09 Dec 2011 19:54:31 +0100, Eric Rescorla e...@rtfm.com wrote:
Unfortunately, many servers do not support TLS 1.1, and to make matters
worse, they do so in a way that is not securely verifiable. By which I
mean
On Fri, Dec 9, 2011 at 4:59 AM, Anne van Kesteren ann...@opera.com wrote:
On Fri, 09 Dec 2011 02:13:50 +0100, Eric Rescorla e...@rtfm.com wrote:
On Thu, Dec 8, 2011 at 5:07 PM, Adam Barth w...@adambarth.com wrote:
Whatever spec we end up going with should note in its security
consideration
On Fri, Dec 9, 2011 at 10:37 AM, Adam Barth w...@adambarth.com wrote:
On Fri, Dec 9, 2011 at 7:59 AM, Anne van Kesteren ann...@opera.com wrote:
On Fri, 09 Dec 2011 16:33:08 +0100, Eric Rescorla e...@rtfm.com wrote:
Same-origin requests should be OK because the JS would have access
On Thu, Dec 8, 2011 at 5:07 PM, Adam Barth w...@adambarth.com wrote:
Keep in mind that streamed or chunked uploads will expose the ability
to exploit the BEAST vulnerability in SSL:
http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
Right. Specifically, it needs to
10 matches
Mail list logo
