On Fri, 09 Dec 2011 02:13:50 +0100, Eric Rescorla <e...@rtfm.com> wrote:
On Thu, Dec 8, 2011 at 5:07 PM, Adam Barth <w...@adambarth.com> wrote:
Whatever spec we end up going with should note in its security
consideration that the user agent must implement TLS 1.2 or greater to
avoid this attack.
I believe it's actually TLS 1.1, since the relevant feature is
explicit IVs. Or you could allow RC4, I guess.
Are you saying that if responseType is set to "stream" and the server only
supports TLS 1.0 the connection should fail, but if it is greater than
that it is okay?
Same-origin requests are always okay? (Though it seems we should just
require TLS 1.1 there too then to not make matters too confusing.)
--
Anne van Kesteren
http://annevankesteren.nl/
