- From: Yngve N. Pettersen (Developer Opera Software ASA) <yngve@opera.com>
- Date: Sun, 09 Dec 2007 22:00:00 +0100
- To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Hello all, http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage AFAICT, the following recommendations are not yet in wsc-xit, or possibly not sufficiently covered. #6/#16: all-EV site (or in new nomenclature: all-AA sites). #12: Delayed security level change (mostly to upgrade security level, despite unsecure loading). May be covered by current security level change language. More radical proposals not included #8: Forbid mixing of non-TLS-protected content in TLS-protected webpages #10: Forbid unsecure->secure password submit by clients #11: secure->Unsecure POST submits #13: Treat https-part of URL as a security indicator (also, relevant in relation to "Chinese whispers"-robustness, ACTION-347) -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Sunday, 9 December 2007 21:00:38 UTC