User Agent Connection Security
draft-steckbeck-ua-conn-sec-00
Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
---|---|---|---|
Author | David Steckbeck | ||
Last updated | 2023-10-01 (Latest revision 2023-03-12) | ||
RFC stream | Independent Submission | ||
Intended RFC status | Experimental | ||
Formats | |||
Stream | ISE state | In ISE Review | |
Consensus boilerplate | Unknown | ||
Document shepherd | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
The user agent to server transaction has many attack surfaces which have been defended by various recommendations such as Content Security Policy. An attack vector that is currently exploited is the open connection policy to first, second- and third-party resources. A breach of the origin website or other connected resource could require the client to load resources from a malicious network. This document provides a framework which allows authors to publish authorized connectable second- and third-party resources that a user agent should or must follow depending on configuration of that user agent.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)