On Mon, Aug 18, 2014 at 7:07 PM, Hill, Brad wrote:
> I think the broader goals Jonas has articulated probably belong in their
> own group, perhaps chartered along with some of what comes out of the
> upcoming Web Crypto Next Steps workshop.
>
I'm certainly interested in seeing what comes out of
I think the broader goals Jonas has articulated probably belong in their own
group, perhaps chartered along with some of what comes out of the upcoming Web
Crypto Next Steps workshop.
http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers.html
I'll say by way of indicating possible c
On Tue, Aug 12, 2014 at 10:19 PM, Jonas Sicking wrote:
> > One- or two-click sign _up_, on the other hand, will likely be more
> > difficult given the complexities of authorization (scopes, etc).
>
> I'm not sure what you count as sign-up? Today, if I visit a new
> website that I've never visited
On Tue, Aug 12, 2014 at 9:33 AM, Mike West wrote:
>> * Enable a login flow which is less "jarring" UX-wise than today's
>> redirects.
>> * Don't increase the number of clicks needed to log in. Today two
>> clicks are usually enough, we shouldn't be worse than that since then
>> websites won't adop
Hi Jonas, thanks for this feedback!
On Tue, Aug 12, 2014 at 11:51 AM, Jonas Sicking wrote:
> I'm very interested in improving the login experience on websites. In
> particular I'd like to create a better flow when federated logins are
> used, with at least the following goals:
>
I think these a
Hi Mike,
I'm very interested in improving the login experience on websites. In
particular I'd like to create a better flow when federated logins are
used, with at least the following goals:
* Make it easier for websites to use federated login as to discourage passwords.
* Ensure that the designed
Thanks Jacob!
On Fri, Aug 1, 2014 at 6:48 PM, Jacob S Hoffman-Andrews wrote:
> I think the CSP directive is unnecessary and makes things more fragile. The
> 'protect this credential from XSS' attribute should be a property of a
> stored credential, not a web site. If the site has the correct CSP
Your proposal decouples spec from implementation more than the
placeholder approach does, which is good.
I think the CSP directive is unnecessary and makes things more
fragile. The 'protect this credential from XSS' attribute should be
a property of a stored credential, not a web site. If the
On Fri, Aug 1, 2014 at 3:31 PM, Brian Smith wrote:
> There is some tension here between making things password-specific and
> simple vs. making them general and harder to understand. Defining this
> as a mechanism to protect only passwords keeps it simple. But, it
> seems wrong to have a way to p
On Fri, Aug 1, 2014 at 5:37 AM, Mike West wrote:
> On Thu, Jul 31, 2014 at 6:37 PM, Brian Smith wrote:
>> particular, if we are worried about XSS stealing passwords then we
>> have to consider the possibility that XSS has inserted a form without
>> any httponly attributes being used, right?
>
> C
Hi Mike,
On 31/07/2014 09:48 , Mike West wrote:
It's not clear to me that WebApps is the right venue from a process
perspective,
but this is almost certainly the right group of people to evaluate the
proposal.
Thanks in advance for your feedback, suggestions, and time. :)
As you know I think t
Forking this out into a separate thread, as I think it's a great idea, but
tangential to the original proposal. :)
TL;DR: I put together a strawman based on these suggestions which defines a
'writeonly' attribute on HTMLInputElement:
http://projects.mikewest.org/credentialmanagement/writeonly/, WD
On Thu, Jul 31, 2014 at 6:40 PM, Brian Smith wrote:
> On Thu, Jul 31, 2014 at 9:37 AM, Brian Smith wrote:
>> Web browsers with sandboxed child processes have the networking logic
>> in the more-privileged parent process. The purpose of sandboxing is to
>> protect against exploits in the child pro
On Thu, Jul 31, 2014 at 9:37 AM, Brian Smith wrote:
> Web browsers with sandboxed child processes have the networking logic
> in the more-privileged parent process. The purpose of sandboxing is to
> protect against exploits in the child process. It would be useful for
> the process/privilege separ
On Thu, Jul 31, 2014 at 8:19 AM, Jacob S Hoffman-Andrews wrote:
> I'd say there are approximately three styles for login form submission:
> A) No JS. A with some 's that gets submitted when
> you click an .
> B) Some JS. A that gets submitted by JS calling form.submit().
> C) All JS. A set of
I like the idea of standardizing some of the interactions between
password managers and web sites.
I think we should strongly consider ways to integrate XSS
mitigation. Hopefully before too long most people will be using a
password manager. With most password managers, if there is a
transient
TL;DR: Strawman spec and usecases at
https://github.com/mikewest/credentialmanagement
# Use Cases
User agents' password managers are a fragile and proprietary hodgepodge of
heuristics meant to detect and fill sign-in forms, password change forms,
etc.
We can do significantly better if we invite w
17 matches
Mail list logo