Skip to content

Remove Sec- prefixes #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 5, 2025
Merged

Remove Sec- prefixes #160

merged 2 commits into from
May 5, 2025

Conversation

drubery
Copy link
Collaborator

@drubery drubery commented Apr 30, 2025

This is meaningless on the response headers, and on the Sec-Session-Response, the server needs to carefully validate that the expected key is being used anyway. It does seem kind of nice if the server can trust that the Sec-Session-Id is truly coming from the site instead of an XHR, so that it can look up the right expected public key for the Sec-Session-Response, so we leave the Sec- prefix on that one header. Following the discussion on
#59, we make the shared prefix Secure-Session- instead.

@drubery drubery force-pushed the push-lvnkqktwoylq branch from 74bccd3 to ebf1111 Compare May 1, 2025 16:45
@drubery drubery force-pushed the push-omlvlrpllozt branch from 3993390 to bcc4cc4 Compare May 1, 2025 17:00
@drubery drubery force-pushed the push-lvnkqktwoylq branch from ebf1111 to d26e2cd Compare May 1, 2025 17:00
@drubery drubery requested a review from thefrog-gh May 2, 2025 23:59
@drubery drubery force-pushed the push-lvnkqktwoylq branch from d26e2cd to bc5e2cd Compare May 3, 2025 00:15
@drubery drubery force-pushed the push-omlvlrpllozt branch from bcc4cc4 to accda14 Compare May 3, 2025 00:15
@drubery drubery force-pushed the push-lvnkqktwoylq branch from bc5e2cd to 4dcb306 Compare May 3, 2025 00:23
@drubery drubery force-pushed the push-omlvlrpllozt branch from 7ee8f05 to af0c0aa Compare May 3, 2025 00:23
thefrog-gh
thefrog-gh approved these changes May 5, 2025
View reviewed changes
spec.bs
@@ -218,7 +218,7 @@ In order to use DBSC, site owners need to establish two new endpoints:
the registration endpoint and the refresh endpoint.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to update the public explainer as well? (though would that be confusing for folks wanting to participate in the OT?)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think this is one where we should not update the explainer. I think we can update the explainer after the OT, but I don't want to confuse people.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good to me. Can we have a way to track this so we don't forget?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done! https://crbug.com/416191041

@drubery drubery force-pushed the push-omlvlrpllozt branch from af0c0aa to 9a9c318 Compare May 5, 2025 22:12
@drubery drubery force-pushed the push-lvnkqktwoylq branch from 4dcb306 to 7fc992c Compare May 5, 2025 22:12
@drubery drubery force-pushed the push-omlvlrpllozt branch from 9a9c318 to d44329e Compare May 5, 2025 22:19
@drubery drubery force-pushed the push-lvnkqktwoylq branch from 7fc992c to 59234d9 Compare May 5, 2025 22:19
@drubery drubery force-pushed the push-omlvlrpllozt branch from d44329e to 2ed8356 Compare May 5, 2025 22:25
@drubery drubery force-pushed the push-lvnkqktwoylq branch from 59234d9 to 9357beb Compare May 5, 2025 22:25
Daniel Rubery added 2 commits May 5, 2025 15:28
Remove Sec- prefixes
8121941 
This is meaningless on the response headers, and on the
Sec-Session-Response, the server needs to carefully validate that the
expected key is being used anyway. It does seem kind of nice if the
server can trust that the Sec-Session-Id is truly coming from the site
instead of an XHR, so that it can look up the right expected public key
for the Sec-Session-Response, so we leave the Sec- prefix on that one
header. Following the discussion on
#59, we make the shared
prefix Secure-Session- instead.
Address comments
52437d6
@drubery drubery force-pushed the push-lvnkqktwoylq branch from 9357beb to 52437d6 Compare May 5, 2025 22:29
@drubery drubery changed the base branch from push-omlvlrpllozt to main May 5, 2025 22:30
@drubery drubery merged commit 832fb1f into main May 5, 2025
2 checks passed
github-actions bot added a commit that referenced this pull request May 5, 2025
@drubery @github-actions
Remove Sec- prefixes (#160)
217e591 
SHA: 832fb1f
Reason: push, by drubery

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@drubery drubery deleted the push-lvnkqktwoylq branch May 5, 2025 22:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thefrog-gh thefrog-gh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@drubery @thefrog-gh