- From: Hal Lockhart <hlockhar@bea.com>
- Date: Tue, 30 Jan 2007 10:01:40 -0800
- To: <yngve@opera.com>, "George Staikos" <staikos@kde.org>, "W3 Work Group" <public-wsc-wg@w3.org>
By protected, I meant secure in the sense used at the start of this thread, i.e. does the browser currently show a padlock? So are you saying I can be looking at a page, marked with a padlock, with the URI and the main Frame from BusyBank.com (using TLS) and another Frame from EvilGuys.org (also using TLS)? Hal > -----Original Message----- > From: Yngve Nysaeter Pettersen [mailto:yngve@opera.com] > Sent: Tuesday, January 30, 2007 10:49 AM > To: Hal Lockhart; George Staikos; W3 Work Group > Subject: Re: What is a secure page? > > On Tue, 30 Jan 2007 16:31:17 +0100, Hal Lockhart <hlockhar@bea.com> wrote: > > > > > I can think of a clarification and two more cases to think about. > > > > First, when you say all the content on a page is protected, does that > > imply it is all from the same site? (same in the sense of the XSS rules, > > e.g. *.example.com) > > If "protected" means "served by TLS" with authentication and encryption > I'd say that as long as all elements are served in such a manner the > content of the page is protected. (one might argue about authentication > only ciphers, but those do not protect the data against eavesdropping, > only modification) > > As I've mentioned earlier, there are a couple of corner cases, such an > initial unsecure-to-secure redirects where one would have to consider > whether or not the resulting page can be considered secure. > > > Second, what about pages with frames. Presumably all the frames are > > considered a page, but I believe frames can be updated individually. > > What happens if one frame goes insecure? > > > > Similar questions apply to an Ajax application. What happens if an > > update is not secure? > > IMO, as soon as a frame, script, applet etc. requests data over an > unsecure connection, the security level should be set to "not secure". > That is the way Opera works. > > An application usually have no way to tell how sensitive a resources is > (for example: is it "just" a spacer image, or is it a graph that could > possibly leak information about what a high profile investor would be > investing in next?). As should be apparent, I lean in the direction that > mixing secure and unsecure content should not be permitted (we do at the > moment due to interoperability concerns, but I'd rather not). > > > >> -----Original Message----- > >> From: public-wsc-wg-request@w3.org > > [mailto:public-wsc-wg-request@w3.org] > >> On Behalf Of George Staikos > >> Sent: Sunday, January 21, 2007 10:24 PM > >> To: W3 Work Group > >> Subject: Re: What is a secure page? > >> > >> > >> > >> Hmm does that mean that the location/url bar is going into the tab > >> too? :-) > >> > >> On 17-Jan-07, at 9:35 AM, Stuart E. Schechter wrote: > >> > >> > > >> >>> The FireFox 2 tabs contain a window close button that used to > >> >>> be part > >> >> of > >> >>> the window frame. Presumably they were moved here because users > >> >>> didn't > >> >>> understand, or weren't comfortable with, the model in which a > >> >>> close icon > >> >> for > >> >>> the window closed a tab. > >> >> > >> >> So that sounds like data that could be used to argue the scoping is > >> >> effective. > >> >> > >> >> Mez > >> > > >> > I don't understand the logic there. Firefox 2 is moving away > >> > from the > >> > model in which users are presumed to understand that all browser > >> > buttons > >> > within a window apply to the current tab. They are moving to a > >> > model in > >> > which you have to explicitly show the user that the button applies > >> > to the > >> > tab by putting it into the tab itself. How would you argue that > >> > this change > >> > supports the effectiveness of the scoping? > >> > > >> > > >> > > >> > >> -- > >> George Staikos > >> KDE Developer http://www.kde.org/ > >> Staikos Computing Services Inc. http://www.staikos.net/ > >> > >> > >> > > > > > > > > -- > Sincerely, > Yngve N. Pettersen > > ******************************************************************** > Senior Developer Email: yngve@opera.com > Opera Software ASA http://www.opera.com/ > Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 > ********************************************************************
Received on Tuesday, 30 January 2007 18:02:54 UTC