- From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
- Date: Mon, 17 Dec 2007 10:40:53 +0000 (GMT)
- To: public-wsc-wg@w3.org
ISSUE-145: WhatIsASecurePage not fully incorporated [wsc-xit]
http://www.w3.org/2006/WSC/track/issues/
Raised by: Yngve Pettersen
On product: wsc-xit
This issue tracks the points raised in this message:
http://www.w3.org/mid/op.t225ya12qrq7tp@nimisha.oslo.opera.com
http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage
AFAICT, the following recommendations are not yet in wsc-xit, or possibly not sufficiently covered.
#6/#16: all-EV site (or in new nomenclature: all-AA sites).
#12: Delayed security level change (mostly to upgrade security level, despite unsecure loading). May
be covered by current security level change language.
More radical proposals not included
#8: Forbid mixing of non-TLS-protected content in TLS-protected webpages
#10: Forbid unsecure->secure password submit by clients
#11: secure->Unsecure POST submits
#13: Treat https-part of URL as a security indicator (also, relevant in relation to "Chinese
whispers"-robustness, ACTION-347)
Received on Monday, 17 December 2007 10:41:00 UTC