ISSUE-285: Does BPWG feel it can write Best Practices on links rewriting in the CT guidelines? Or that it cannot be a best practice? from Francois Daoust on 2008-12-16 (public-bpwg@w3.org from December 2008)

From: Francois Daoust <fd@w3.org>
Date: Tue, 16 Dec 2008 18:31:25 +0100
To: Mobile Web Best Practices Working Group WG <public-bpwg@w3.org>
Message-ID: <4947E5ED.7020808@w3.org>

ISSUE-285: Does BPWG feel it can write Best Practices on links rewriting 
in the CT guidelines? Or that it cannot be a best practice?

http://www.w3.org/2005/MWI/BPWG/Group/track/issues/

Raised by: François Daoust
On Product: Guidelines for Web Content Transformation Proxies


The discussion on links re-writing goes on within the Content 
Transformation Task Force. The Task Force feels the working group as a 
whole should give its point of view on this before we work on potential 
resulting guidelines.

Here is a short attempt to summarize the issue.

Content Transformation proxies need to rewrite links on a common basis, 
or perhaps more precisely, they need to switch from being a "proxy" to 
becoming an "end point".

For instance:
- tokenization of the URIs may be performed to minimize the size of the 
page returned to the end user.
- when a page gets fragmented, links to subsequent pages then target the 
proxy as the origin server.
- HTTPS links may be rewritten to enable the possibility to transcode an 
HTTPS web site.

At the URI level, this means that the URI moves from:
  http://[original URI]
... to something like:
  http://ct-proxy.example.com/?uri=[original URI]

Security problems arise when links rewriting is performed, mostly 
because the origin is changed: the same-origin policy that prevents 
cross-site scripting attacks cannot apply anymore because the CT-proxy 
typically makes the Web look as if there was one origin.

The list of problems also includes cookies, the change of referer, the 
use of client certificates, and probably others.

Problems occur whether rewritten links are in HTTP or in HTTPS, with a 
specific emphasis in the case of HTTPS.

One possible solution is for the CT-proxy to suppress scripting from the 
content it transforms when it rewrites links.

But the question at stake is rather: is there any "best" practice that 
can be recommended here? Does the group rather consider that there is by 
essence no best practice to recommend in that situation, that links 
rewriting cannot be condoned as a best practice?

Received on Tuesday, 16 December 2008 17:31:58 UTC