David Benjamin

Given that it is 2020 and HTTPS is table stakes, I'm inclined to think this would not be the right tradeoff.

> better handling of still-missing headers What kind of better handling were you envisioning? The server is equally obligated to respond to the missing headers in both requests. On the...

Yeah, such a server would break if the client doesn't support the hint, or declined to send it for some reason.

FPS should not blanket replace every use of "site" in the platform. @annevk is right that sites are security boundaries elsewhere in the platform. E.g. the process allocation business is...

I'm not familiar with the PWA setup, but the latter (explicit) seems preferable to me. If we overload FPS with lots of meanings, we'll weaken privsep. Suppose a site says...

There are a few things an origin might be worried about with a compromised subdomain: 1. Can the subdomain read cookies set by my origin? (Confidentiality) 2. Can the subdomain...

WebSockets map the ws/wss URLs to http/https before running through most of fetch, so it's still the same scheme. See step 1 of https://fetch.spec.whatwg.org/#websocket-opening-handshake I think using schemes is the...

@ggreenway if I'm reading https://github.com/envoyproxy/envoy/issues/33850#issuecomment-2092033930, it sounds like the kernel fix is not sufficient. If the second half of the ClientHello happens to arrive nontrivially later, e.g. due to packet...

Talking to Google Envoy folks, it sounds like I misunderstood the bug. Would be good to confirm that you all indeed retry correctly when the second packet comes in late,...

On the TLS side, TLS 1.2 doesn't correlate curves and hashes and people kept confusing parameterized signature schemes with parameters to the sign and verify function, so the full product...