On Fri, Nov 19, 2010 at 7:18 AM, Andrei Popescu <andreip@google.com> wrote: > On Tue, Nov 16, 2010 at 11:17 AM, Anne van Kesteren <annevk@opera.com> > wrote: > > On Mon, 15 Nov 2010 16:32:49 +0100, Doug Turner <dougt@dougt.org> wrote: > >> > >> I'd like the consideration section to reflect the intent we had. I > would > >> rather have us leave the MUST but change what we meant to be displayed > to > >> the user. Maybe "HOST of the requesting document". There are probably > >> others with a better name for this field. > > > > Host is not really good either. You want to know secure versus insecure > for > > instance. > > Hmm, why is this? Nobody (including Opera) does this at the moment. > Just to repeat, this is incorrect. Safari (as of 5.0 [1]) and Mobile Safari (as of iOS 4.1 [2]) both display the scheme in their modal permissions dialogs. Chrome used to display the scheme (in 5.0) but got rid of it -- it would be interesting to know the decision process there. > > Now whether this is displayed as a lock versus http/https should > > be up to the user agent. In fact, if the user agent comes up with a novel > > idea to clearly indicate what page the dialog belongs to I think that > should > > be allowed as well. > > If we said "host", that wouldn't prevent the UA from doing what you > propose. > Agreed. Specifying "host" wouldn't stop a UA from showing more: the scheme, the port, the extended validation certificate identity or any other potentially relevant information. But the Working Group may still want to normatively specify a lower bound that includes whether or not the script was loaded over HTTPS. Thanks, Nick [1] http://npdoty.name/location/safari-permission.jpg [2] http://npdoty.name/location/iphone-permission.jpg
Received on Saturday, 20 November 2010 05:12:06 UTC