> I believe some ideas of this character have been discussed in the W3C > WebAppSec WG. > http://www.w3.org/2011/webappsec/
Can you point to anything more specific? I discussed s-links via email with Adam Barth who's a CSP editor and it didn't seem that this has been extensively discussed by the WebAppSec WG... The only thing I can think of is discussion about enabling CSP to require that the same cert is presented for all page resources, which I believe didn't make the spec due to origin contamination problems. S-links, by the way, has the same issue unless a persistent key pin (or other persistent security upgrade) is immediately received, as discussed on the s-links site-this is a very important subtlety. Cheers, Joe
_______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey