[agenda] CT Call Tuesday 16 December 2008

Hi,

This is the agenda for tomorrow's call. Let's try to start on time.
Note that I'll be out starting next week until the beginning of next 
year, so either someone replaces me either we cancel next two calls.


-----
Chair: Fran├žois
Staff Contact: Fran├žois
Known regrets: none

Date: 2008-12-16T1500Z for 60mn
Phone: +1.617.761.6200, +33.4.89.06.34.99, +44.117.370.6152
Conference code: 2283 ("BCTF") followed by # key
IRC channel: #bpwg on irc.w3.org, port 6665.

Latest draft:
http://www.w3.org/2005/MWI/BPWG/Group/TaskForces/CT/editors-drafts/Guidelines/081107



1. HTTPS links rewriting
-----
Threads:
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0063.html
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0065.html
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Dec/0007.html
http://lists.w3.org/Archives/Public/public-bpwg-comments/2008OctDec/0007.html

- Rewritten links (HTTP and/or HTTPS) are likely to be of the form:
  http[s]://ct-proxy.example.com?uri=[original URI]
- This means that a script running on such a page can basically target 
whatever URI it wants using XHR calls (the "same origin policy" 
condition would be fulfilled by the triple scheme/host/port 
"http"/"ct-proxy.example.com"/80), and that's a typical case of 
cross-site scripting.
- Not specific to HTTPS but with a special resonance in the case of 
HTTPS since it means the user's credentials and/or credit card number 
could be stolen!

- For HTTP links, there is probably a (hacky) way to circumvent the 
problem, e.g. by building a "fake" request for a subsequent page in a 
paginated response that targets the origin server and that is 
intercepted by the proxy in the end and never reaches the origin server.
- For HTTPS links, this solution is by definition impossible.

... and close ACTION-860, ACTION-864 on Jo
... and close ACTION-859 on Francois


2. LC-2040 - On properly defining the X-Device-* headers
-----
Thread:
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0062.html
Doc:
http://www.w3.org/2005/MWI/BPWG/Group/TaskForces/CT/editors-drafts/Guidelines/081107#sec-original-headers
Last Call comment:
http://www.w3.org/2006/02/lc-comments-tracker/37584/WD-ct-guidelines-20080801/2040

- Stick to "existing practice" or define the header appropriately?
- I note we also reference the X-Forwarded-For header.

... and close ACTION-879 on Francois.


3. Mandating respect of some heuristics
-----
Thread:
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0080.html

- should a mobile CT proxy be allowed to transform content that was 
developed with mobile in mind?
- forbid restructuring and recoding in the cases mentioned by Dom?
- allow exceptions to the rules as proposed by Eduardo?
- add an equivalent to section 4.1.5.4 on responses?


4. WML and the guidelines
-----
Threads:
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0068.html
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0071.html

- Mostly merged with previous topic
- Amend the text on http-equiv not to mention specifically *HTML* content?


5. Next calls
-----
- I'm out of office next 2 weeks.
- Hold/Cancel both calls?


6. AOB
-----

Received on Monday, 15 December 2008 10:26:22 UTC