W3C home > Mailing lists > Public > public-wsc-wg@w3.org > June 2008

ACTION-486: Rewrite section 5.4.3

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Wed, 11 Jun 2008 14:37:36 -0400
Message-Id: <ED675126-072F-4B72-8D11-A49F48C0E220@mozilla.com>
To: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>

As discussed in today's call, the text in section 5.4.3 is difficult  
for me to make heads or tails of, particularly in terms of claiming  
conformance for Firefox.  Since others in the group seemed to feel  
similarly confused, I took an action to re-state what, on the call,  
appeared to be the consensus goals of this section, despite its  
current wording.

I propose that section 5.4.3 as it currently exists be removed, and  
the following text inserted as the new 5.4.3 and (added) 5.4.4.  I  
tried to provide basic motivation and straightforward conformance  
language for both issues.

-=-

5.4.3 Redirection Chains

Page redirection (whether by 302-style http headers, or html/ 
javascript logic) can happen so quickly in some cases that it is  
possible for UI to appear as though a continuous, secure connection  
has been maintained, even if navigation between pages has involved  
redirects over weakly TLS-protected or unsecured http channels.  This  
can engender false confidence in the integrity and privacy of user  
data.  Web user agents SHOULD inform users, using an error of class  
Warning or above (ref 6.4.3, 6.4.4), when navigation between TLS- 
protected resources involves redirects which travel over weakly TLS- 
protected, or unsecured http channels.

5.4.4 Insecure form submission

Users interacting with a strongly TLS-protected resource are likely to  
develop the impression that information submitted during these  
interactions will be likewise strongly TLS-protected.  User agents  
SHOULD warn users, using an error of class Warning or above (ref  
6.4.3, 6.4.4), if form submissions from a strongly TLS-protected page  
are directed to an unsecured channel.

-=-

Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
Received on Wednesday, 11 June 2008 18:38:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 11 June 2008 18:38:29 GMT