W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Re: Summary of "What is a secure page?" discussion, first draft

From: Yngve N. Pettersen (Developer Opera Software ASA) <yngve@opera.com>
Date: Wed, 25 Apr 2007 00:09:30 +0200
To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <op.tra6h417qrq7tp@nimisha.oslo.opera.com>

On Tue, 24 Apr 2007 20:03:49 +0200, Yngve N. Pettersen (Developer Opera  
Software ASA) <yngve@opera.com> wrote:

>
> Hello all,
>
> Here is my first draft of the summary of the earlier discussion of what  
> a secure page is (or should be).
>
> Comments, suggestions?
>
> ----------------------

Since everybody loves an example (I hope), here is one that just showed up  
in our bug report system:

   <URL: https://www.agito.pl/?switch=login&cmd=options >

This page gets "No padlock" from Opera.

All elements on the page have an https:// URL, so why does it not get a  
padlock?

The problem turns out to be a 1-by-1 pixel webbug with the URL

  <URL: https://www.agito.pl/index.php?switch=count&amp;pid >

This URL is redirected to

  <URL: http://www.agito.pl/index.php?switch=count&amp;pid >

In other words, it is mixing secure and unsecure content.

I have seen this with larger images (that contained stock exchange  
graphs), as well as an external Javascript (on a  
please-fill-in-your-credit-card-details page).

-- 
Sincerely,
Yngve N. Pettersen
 
********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************
Received on Tuesday, 24 April 2007 22:09:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:47 GMT