On Wed, Feb 2, 2022 at 6:28 AM Yoav Weiss <yoavwe...@chromium.org> wrote:
> During the WebTransport Intent to Ship email thread >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/kwC5wES3I4c>, >> concerns were raised regarding the security considerations of this portion >> of the spec being incomplete. We believe that we have addressed those >> concerns (notably, in this PR >> <https://github.com/w3c/webtransport/pull/375>). >> > > Please followup on the PR to ensure it lands. Thanks! :) > Will do! I believe we're almost there, though this might have to wait until the next WG meeting. > > >> Interoperability and Compatibility >> >> There is some discussion about adding a mechanism to prevent websites >> from using this feature via an HTTP header (either CSP or a new header). >> Some of the proposals could potentially break existing usage under certain >> conditions (e.g. if a webpage both uses serverCertificateHashes and has a >> connect-src directive, and we decide to extend connect-src); I expect for >> those cases to be sufficiently niche to ultimately not be a problem, and >> the question itself is of fairly low priority as there does not seem to be >> a strong security reason for a website to restrict serverCertificateHashes. >> > > Are you planning to file a separate intent once those plans materialize? > Yes, that is the intention. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAZdMaeg%2BXaHGHU5%2B2Q%3DNk6q70C-LHiJ0E5FZyWnriyfRLO_fg%40mail.gmail.com.
