Re: Fetch: HTTP authentication and CORS from Anne van Kesteren on 2013-05-04 (public-webappsec@w3.org from May 2013)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 4 May 2013 09:29:27 +0100
To: Jonas Sicking <jonas@sicking.cc>
Cc: Adam Barth <w3c@adambarth.com>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
Message-ID: <CADnb78gmbK+DNwZXa9JZ+YC6xYcm_QAAx6eXjVxf3HG=Vgbe=A@mail.gmail.com>

On Fri, May 3, 2013 at 7:00 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> In the Gecko implementation they aren't. Assuming that you mean when with
> credentials is set to false?

Right, when it's set to false. What's the normative reference for TLS
client certificates? https://tools.ietf.org/html/rfc5246#section-7.4.6
maybe?

> We also don't reuse keep-alive http connections.

Are we talking about persistent connections as per
http://tools.ietf.org/html/rfc2616#section-8.1 or the obsolete
HTTP/1.0 feature?

--
http://annevankesteren.nl/

Received on Saturday, 4 May 2013 08:29:57 UTC