ISSUE-144: Do we need to specify mixed content in more detail? [wsc-xit] from Web Security Context Working Group Issue Tracker on 2007-12-17 (public-wsc-wg@w3.org from December 2007)

From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Mon, 17 Dec 2007 10:31:19 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20071217103119.AD0D35F70A@stu.w3.org>

ISSUE-144: Do we need to specify mixed content in more detail? [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Thomas Roessler
On product: wsc-xit

In 5.4, we currently say:

<QUOTE> 

[Definition: A Web page is called TLS-secured if the top-level resource and all other resources that can affect or control the page's content and presentation have been retrieved through strongly TLS protected HTTP transactions.]

This definition implies that inline images, stylesheets, script content, and frame content for a secure page need to be retrieved through strongly TLS protected HTTP tansactions in order for the overall page to be considered TLS-secured.
</QUOTE>

I wonder whether we need to specify in more detail what this means for certain content types.  E.g., how do multiple layers of stylesheets interact with the notion of a TLS-secured page? Is this really the ultimate wisdom on framesets?  And so on.  Put briefly, I think this needs some more review and discussion.

Received on Monday, 17 December 2007 10:31:28 UTC