Re: ACTION-640: clarification to interaction model? from Mary Ellen Zurko on 2010-04-16 (public-wsc-wg@w3.org from April 2010)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Fri, 16 Apr 2010 08:03:44 -0400
To: "Joe Steele <steele" <steele@adobe.com>
Cc: Thomas Roessler <tlr@w3.org>,WSC WG public <public-wsc-wg@w3.org>
Message-ID: <OFA72B56C0.22F30ED1-ON85257707.00420D38-85257707.004217B7@LocalDomain>
Excellent.

Going once, going twice....

Sold.

consensus declared. 

          Mez





From:   Joe Steele <steele@adobe.com>
To:     Thomas Roessler <tlr@w3.org>
Cc:     WSC WG public <public-wsc-wg@w3.org>
Date:   04/15/2010 04:17 PM
Subject:        Re: ACTION-640: clarification to interaction model?
Sent by:        public-wsc-wg-request@w3.org



And I agreed with Thomas after further reflection.

On Apr 15, 2010, at 5:05 AM, Thomas Roessler wrote:

> Mez asked me to summarize what I think we've agreed on.
> 
> From Joe:
> 
>>> [Definition: A Web page is called *mixed content* if the top-level 
>>> resource was retrieved through a strongly TLS protected HTTP 
>>> transaction, but some dependent resources were *<change>retrieved 
>>> through a weakly protected or unprotected HTTP transaction</change>*]
> 
> From myself:
> 
>> I'd suggest we say this in 4.1, after the fourth paragraph: "In 
>> interactive Web applications, the presentation to the user might also 
>> depend on state that is local to the client - be it local storage of 
>> structured data, or be it recent interactions with the Web page. The 
>> security properties of those data will depend on the security 
properties 
>> of the client computer itself, and are out of scope for this 
specification."
> 
> Joe had suggested additional changes that I disagree with.
> 
> --
> Thomas Roessler, W3C  <tlr@w3.org>
> 
> 
> 
> 
> 
> 
> 
> On 13 Apr 2010, at 14:59, Thomas Roessler wrote:
> 
>> If we think we have agreement on my proposed changes in the working 
group, I'll add them to the spec later this week.
>> 
>> Thanks,
>> -- 
>> Thomas Roessler, W3C <tlr@w3.org>
>> 
>> 
>> 
>> 
>> Joe Steele wrote:
>>> Good point. I agree that the current text does not define what is 
considered correct behavior when content is not retrieved over HTTP. In 
the example you mention where some resources are retrieved over FTP, a 
browser could be considered compliant if it reported that website as 
TLS-secured.
>>> 
>>> If I am reading that correctly and we are ok with that interpretation, 
I have no further objection.
>>> 
>>> Joe
>>> 
>>> On Apr 9, 2010, at 3:54 PM, Thomas Roessler wrote:
>>> 
>>> Joe Steele wrote:
>>> The 4.1 proposed text is fine.
>>> 
>>> I can see your point on the change to the first two paragraphs, but I 
still think something more is needed to narrow the scope. The text in 5.3 
refers to "all content" and "all other resources". It does not acknowledge 
that some content might not be coming through an HTTP transaction. That is 
the root of the problem. We need to remove that "all" qualifier and 
replace it with something more narrow. Any suggestions as to what? 
Providing some explanatory text elsewhere doesn't seem to solve the 
problem.
>>> 
>>> 
>>> The change that you suggest here has an interesting side effect: If, 
for
>>> example, a resource that's part of a web page is retrieved through FTP
>>> (or some future insecure network protocol), then that resource's
>>> security wouldn't matter for the determination of mixed content.  In 
the
>>> text as currently written, one could argue that the behavior is
>>> undefined -- which is entirely fine for the purposes of this 
specification.
>>> 
>>> That's why I'm extremely reluctant to do the tighter scoping in the 
way
>>> in which you suggest it.
>>> 
>>> 
>>> Joe
>>> 
>>> On Apr 9, 2010, at 5:34 AM, Thomas Roessler wrote:
>>> 
>>> 
>>> Joe Steele wrote:
>>> 
>>> I would propose this change to paragraph 1 in section 5.3:
>>> If a given Web page consists of a single resource only, then all
>>> content *<change>retrieved through an HTTP transaction</change>* that
>>> the user interacts with has security properties derived from the HTTP
>>> transaction used to retrieve the content.
>>> And similar changes to the two following definitions:
>>> 
>>> [Definition: A Web page is called *TLS-secured* if the top-level
>>> resource and all other resources that can affect or control the page's
>>> content and presentation *<change>and are retrieved through an HTTP
>>> transaction</change>   *have been retrieved through strongly TLS
>>> protected HTTP transactions.
>>> 
>>> 
>>> Looking at these two definitions, the changes seem tautological,
>>> therefore -1.
>>> 
>>> However, I'd suggest we say this in 4.1, after the fourth paragraph: 
"In
>>> interactive Web applications, the presentation to the user might also
>>> depend on state that is local to the client - be it local storage of
>>> structured data, or be it recent interactions with the Web page. The
>>> security properties of those data will depend on the security 
properties
>>> of the client computer itself, and are out of scope for this 
specification."
>>> 
>>> Thoughts?
>>> 
>>> 
>>> [Definition: A Web page is called *mixed content* if the top-level
>>> resource was retrieved through a strongly TLS protected HTTP
>>> transaction, but some dependent resources were *<change>retrieved
>>> through a weakly protected or unprotected HTTP transaction</change>*]
>>> 
>>> 
>>> +1
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>
Received on Friday, 16 April 2010 12:02:33 UTC