Re: [webappsec + webapps] CORS to PR plans

2013-08-12 Thread Brad Hill
, 2013 at 3:47 PM, Brad Hill hillb...@gmail.com wrote: 1. Changed Fetch references. The CR document referenced the WHATWG Fetch spec in a number of places. This was problematic due to the maturity / stability requirements of the W3C for document advancement, and I feel also inappropriate

Re: [webappsec + webapps] CORS to PR plans

2013-08-16 Thread Brad Hill
. Positive feedback is encouraged and silence will be considered assent. I have updated the target date for PR to 26-Sep-2013. Thank you, Brad Hill On Mon, Aug 5, 2013 at 4:48 PM, Brad Hill hillb...@gmail.com wrote: I'd like to issue this as a formal Call for Consensus at this point

Re: No-context ACTION emails are confusing

2014-10-28 Thread Brad Hill
These are created automatically by the tracker, and the create a new action web form doesn't let you insert context until after the action is created. On 10/28/14, 2:47 AM, Anne van Kesteren ann...@annevk.nl wrote: Can we perhaps not post ACTION-creation emails to the list? --

Re: CORS performance

2015-02-17 Thread Brad Hill
On both this, and CSP pinning, I find myself getting nervous about adding an increasing number of headers which, when sent by any resource, impact the security posture and functioning of an entire origin. HSTS and HPKP are somewhat special in that: they convey only a few bits of information. are

Re: CORS performance

2015-02-19 Thread Brad Hill
I think that POSTing JSON would probably expose to CSRF a lot of things that work over HTTP but don't expect to be interacted with by web browsers in that manner. That's why the recent JSON encoding for forms mandates that it be same-origin only. On Thu Feb 19 2015 at 12:23:48 PM Jonas Sicking

Re: Security use cases for packaging

2015-01-29 Thread Brad Hill
Paging (future Dr.) Deian Stefan to the ER... Any thoughts on using COWL for this kind of thing, with a pinned crypto key as a confinement label to be combined with the regular Origin label? -Brad On Thu Jan 29 2015 at 1:43:05 PM Yan Zhu y...@yahoo-inc.com wrote: chris palmer wrote: But

Fwd: [webappsec] CfC: Proposed non-normative updates to CORS

2015-08-03 Thread Brad Hill
(Dang, just realized I forgot to include WebApps on this joint deliverable.) Members of WebApps, please note the below Call for Consensus on proposed non-normative updates to the CORS recommendation and comment on public-webapp...@w3.org by Monday, August 10, 2015. Thank you, Brad Hill co-chair

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-12-01 Thread Brad Hill
, especially since we know there are active attacks being mounted against this traffic on a regular basis. (This is why I suggested .onion sites as potentially secure contexts, which do not suffer from the same exposure outside of the Tor network.) -Brad On Tue, Dec 1, 2015 at 5:42 AM Aymeric Vitte <

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Brad Hill
I don't think there is universal agreement among browser engineers (if anyone agrees at all) with your assertion that the Tor protocol or even Tor hidden services are "more secure than TLS". TLS in modern browsers requires RSA 2048-bit or equivalent authentication, 128-bit symmetric key

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Brad Hill
e's time on this list. Please refrain from continuing down these paths. thank you, Brad Hill, as co-chair On Mon, Nov 30, 2015 at 6:25 PM Florian Bösch <pya...@gmail.com> wrote: > On Mon, Nov 30, 2015 at 10:45 PM, Richard Barnes <rbar...@mozilla.com> > wrote: > >> 1. Auth