Explain how Token Binding IDs get associated with an HTML context.

[jyasskin]

This is probably a change for HTML or https://tools.ietf.org/html/draft-ietf-tokbind-protocol, but it's not clear to me how a Token Binding ID becomes available for an origin or Document or settings object.

[equalsJeffH]

Well, it is not a change appropriate for draft-ietf-tokbind-protocol, since that spec does not delve into user agent implementation particulars (tho it does mention this use case in section 5 2nd paragraph). We might also reference draft-ietf-tokbind-https, but it does not answer this user agent-specific question, so may not be appropriate for this spec to reference(?).

In nosing around, it seems to me that, yes, we should perhaps add something to the HTML spec, and given that an environment settings object has an HTTPS state value, perhaps we should propose adding an HTTPSProperties interface of which an attribute is the Token Binding ID (if any) for the underlying TLS connection?

[jyasskin]

Yes, collecting the Token Binding ID during https://fetch.spec.whatwg.org/#http-network-fetch and adding it to the response object and thence to the settings object sounds reasonable. I'll file a bug against Fetch and CC you. Anne may want you to write the actual change.

[jyasskin]

Ah, and whatwg/fetch#325 is already taking care of this. This issue should track integrating with that change to fetch() when it's merged.

[equalsJeffH]

@jyasskin speaks truth in #360 (comment) -- will do

[equalsJeffH]

wrt #360 (comment)
unfortunately, those aspects of whatwg/fetch#715 (formerly whatwg/fetch#325) appear to have been lost, see also: whatwg/fetch#715 (review)

[selfissued]

Who can take ownership of the Fetch additions and get them to complete?

[equalsJeffH]

Please see PR #1077