Re: Cache-Control: no-transform and "dangerous" content from Francois Daoust on 2008-02-05 (public-bpwg-ct@w3.org from February 2008)

From: Francois Daoust <fd@w3.org>
Date: Tue, 05 Feb 2008 09:44:38 +0100
To: Aaron Kemp <kemp@google.com>
CC: public-bpwg-ct@w3.org
Message-ID: <47A821F6.4090104@w3.org>

I think I get your point on no-transform which I would rephrase and 
summarize as:
"The CT-proxy MAY transform content flagged by the server with a 
Content-Cache: no-transform directive if it thinks it's dangerous, but 
it MUST get the approval of the user beforehand. Persistent registration 
of the user's choice by the CT-proxy is allowed."

In this case, the CT-proxy acts like a kind of extension of the user's 
browser and is controlled by the user. That sounds reasonable. It's a 
deviation from the HTTP RFC but then, the more I think about it, the 
more I find our CT-proxy doesn't exactly fit in the definition of what 
the HTTP RFC calls a proxy (or a gateway for that matter).

François.


Aaron Kemp wrote:
> Sorry for my very delayed reply.  I have been very busy recently (as I'm 
> sure all of us are).
> 
> On Jan 23, 2008 6:30 AM, Francois Daoust <fd@w3.org <mailto:fd@w3.org>> 
> wrote:
> 
> 
>     and at the end of "3.5 Proxy Response to client":
>     "[...] if the proxy determines that the resource as currently
>     represented is likely to cause serious mis-operation of the client then
>     the proxy may transform the resource but only sufficiently to alter the
>     specific aspect of the content that is likely to cause mis-operation.
>     Proxies must not exhibit this behavior unless this has been specifically
>     allowed by both the server and the user. [@@ either by persistent
>     registration of preferences, or by use of the [@@correct dangerous
>     content] directive.]"
> 
> 
> As long as the "persistent registration of preferences" clause exists, I 
> can be a happy camper.  I think the odds of site owners actually adding 
> an additional clause to the "no-transform" directive is small (since I 
> believe most cases of "no-transform" are applied without though of the 
> consequences).  I unfortunately have not had a change to gather metrics 
> about the number of sites that use 'no-transform'.  It's possible that 
> it isn't widely used, in which case it is probably not a big deal.
> 
>     4. Aaron (Kemp)
>     Before leaving the teleconf' yesterday, you mentioned you were thinking
>     exceptions were indeed needed.
> 
> 
> Yes - "dangerous" or simply unsupported content.  It's a problem to 
> crash a phone, but it's also a problem to force the user to download 
> several hundred kilobytes of useless content. 
> 
> Sorry for the delay, again, but I wanted to get this down since I won't 
> be able to make the call tomorrow.
> 
> Aaron

Received on Tuesday, 5 February 2008 08:45:02 UTC