- From: Francois Daoust <fd@w3.org>
- Date: Mon, 15 Dec 2008 11:25:48 +0100
- To: public-bpwg-ct <public-bpwg-ct@w3.org>
Hi,
This is the agenda for tomorrow's call. Let's try to start on time.
Note that I'll be out starting next week until the beginning of next
year, so either someone replaces me either we cancel next two calls.
-----
Chair: François
Staff Contact: François
Known regrets: none
Date: 2008-12-16T1500Z for 60mn
Phone: +1.617.761.6200, +33.4.89.06.34.99, +44.117.370.6152
Conference code: 2283 ("BCTF") followed by # key
IRC channel: #bpwg on irc.w3.org, port 6665.
Latest draft:
http://www.w3.org/2005/MWI/BPWG/Group/TaskForces/CT/editors-drafts/Guidelines/081107
1. HTTPS links rewriting
-----
Threads:
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0063.html
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0065.html
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Dec/0007.html
http://lists.w3.org/Archives/Public/public-bpwg-comments/2008OctDec/0007.html
- Rewritten links (HTTP and/or HTTPS) are likely to be of the form:
http[s]://ct-proxy.example.com?uri=[original URI]
- This means that a script running on such a page can basically target
whatever URI it wants using XHR calls (the "same origin policy"
condition would be fulfilled by the triple scheme/host/port
"http"/"ct-proxy.example.com"/80), and that's a typical case of
cross-site scripting.
- Not specific to HTTPS but with a special resonance in the case of
HTTPS since it means the user's credentials and/or credit card number
could be stolen!
- For HTTP links, there is probably a (hacky) way to circumvent the
problem, e.g. by building a "fake" request for a subsequent page in a
paginated response that targets the origin server and that is
intercepted by the proxy in the end and never reaches the origin server.
- For HTTPS links, this solution is by definition impossible.
... and close ACTION-860, ACTION-864 on Jo
... and close ACTION-859 on Francois
2. LC-2040 - On properly defining the X-Device-* headers
-----
Thread:
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0062.html
Doc:
http://www.w3.org/2005/MWI/BPWG/Group/TaskForces/CT/editors-drafts/Guidelines/081107#sec-original-headers
Last Call comment:
http://www.w3.org/2006/02/lc-comments-tracker/37584/WD-ct-guidelines-20080801/2040
- Stick to "existing practice" or define the header appropriately?
- I note we also reference the X-Forwarded-For header.
... and close ACTION-879 on Francois.
3. Mandating respect of some heuristics
-----
Thread:
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0080.html
- should a mobile CT proxy be allowed to transform content that was
developed with mobile in mind?
- forbid restructuring and recoding in the cases mentioned by Dom?
- allow exceptions to the rules as proposed by Eduardo?
- add an equivalent to section 4.1.5.4 on responses?
4. WML and the guidelines
-----
Threads:
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0068.html
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0071.html
- Mostly merged with previous topic
- Amend the text on http-equiv not to mention specifically *HTML* content?
5. Next calls
-----
- I'm out of office next 2 weeks.
- Hold/Cancel both calls?
6. AOB
-----
Received on Monday, 15 December 2008 10:26:22 UTC