RE: [ACTION-603] Conversation with Yves, our HTTP expert, about CT and Cache-Control extensions

Magnus,
We can consider protection from "rogue" sites as one of those basic services that CT proxies can offer, e.g. as a CT Service Provider option (a default behavior for all users). Beyond this basic goal which is inline with the goals of CT as we have scoped it (don't send something that might break the browser), blacklisting of sites gets into a policy control area which is another type of value-add, that I suggest we stay away from.
 
I say that management of such a blacklist would be a "CT Service Provider option" since it's unlikely that they would want to require or offer user control of such a feature (e.g. I as a user do not want to have to manage a bad site blacklist, I want my service provider to do it).

Bryan Sullivan | AT&T 
________________________________

From: Magnus Lönnroth [mailto:magnus.lonnroth@ericsson.com] 
Sent: Tuesday, February 05, 2008 6:44 AM
To: Aaron Kemp; Sullivan, Bryan
Cc: public-bpwg-ct
Subject: RE: [ACTION-603] Conversation with Yves, our HTTP expert, about CT and Cache-Control extensions



[WARNING: link below crashes Internet Explorer]
 
But this breaks pages that are specifically designed to crash a browser, like http://www.crashie.com/
 
I'm not condoning it - juts pointing it out. And I think it would be a simpler/better approach to just blacklist sites that do this. And there are probably a gazillion similar exploits. Blacklisting has the added benefit of adding a strong incentive for the origin server to fix the issue.
 
thanks,

Magnus Lönnroth
Head of PDU SDP
Development Unit Multimedia Products
Ericsson AB


 


________________________________

	From: public-bpwg-ct-request@w3.org [mailto:public-bpwg-ct-request@w3.org] On Behalf Of Aaron Kemp
	Sent: den 4 februari 2008 17:40
	To: Sullivan, Bryan
	Cc: public-bpwg-ct
	Subject: Re: [ACTION-603] Conversation with Yves, our HTTP expert, about CT and Cache-Control extensions
	
	

	On Feb 4, 2008 11:20 AM, Sullivan, Bryan <BS3131@att.com> wrote:
	

		Aaron,
		So you believe it is acceptable to ignore the "no-transform" directive, e.g. if you believe that is what the user wants by accessing a site through your system?


	Unfortunately yes, in some cases.  In cases where we would send content to the mobile that will cause it to reset, or otherwise fail to display the page, I believe it is better to modify the content.  I recognize that this opinion is not universally shared.
	
	Currently, we will do this without asking the user.  I can imagine a good compromise between breaking a users phone and obeying the site owners wishing being that we could show an interstitial page saying "listen, the content author asked us not to change their site, but if we don't, it's going to crash your phone.  Do you want us to modify it anyway?"
	 

		
		That gets to the essence of my earlier comments that the CT Service Provider's awareness of user preferences sometimes can (and should) trump the indicated preference of the content provider.


	Right.  It is my opinion that this is the case.  But again, I realize others do not feel this way.
	
	If we cannot reach consensus on this, I would rather put up a page saying "Sorry, you can't safely access this content" and not allow the user to continue, than crash the users phone.
	
	Aaron

Received on Tuesday, 5 February 2008 15:58:52 UTC