- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 09 Apr 2010 14:34:15 +0200
- To: Joe Steele <steele@adobe.com>
- CC: WSC WG public <public-wsc-wg@w3.org>
Joe Steele wrote: > I would propose this change to paragraph 1 in section 5.3: > If a given Web page consists of a single resource only, then all > content *<change>retrieved through an HTTP transaction</change>* that > the user interacts with has security properties derived from the HTTP > transaction used to retrieve the content. > And similar changes to the two following definitions: > > [Definition: A Web page is called *TLS-secured* if the top-level > resource and all other resources that can affect or control the page's > content and presentation *<change>and are retrieved through an HTTP > transaction</change> *have been retrieved through strongly TLS > protected HTTP transactions. > Looking at these two definitions, the changes seem tautological, therefore -1. However, I'd suggest we say this in 4.1, after the fourth paragraph: "In interactive Web applications, the presentation to the user might also depend on state that is local to the client - be it local storage of structured data, or be it recent interactions with the Web page. The security properties of those data will depend on the security properties of the client computer itself, and are out of scope for this specification." Thoughts? > [Definition: A Web page is called *mixed content* if the top-level > resource was retrieved through a strongly TLS protected HTTP > transaction, but some dependent resources were *<change>retrieved > through a weakly protected or unprotected HTTP transaction</change>*] > +1
Received on Friday, 9 April 2010 12:34:23 UTC