Re: ACTION-209: What is a secure page? from Yngve N. Pettersen (Developer Opera Software ASA) on 2007-05-16 (public-wsc-wg@w3.org from May 2007)

From: Yngve N. Pettersen (Developer Opera Software ASA) <yngve@opera.com>
Date: Thu, 17 May 2007 01:20:47 +0200
To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <op.tsf0gxpzqrq7tp@nimisha.oslo.opera.com>

Hello all,

On Tue, 15 May 2007 22:29:30 +0200, Yngve N. Pettersen (Developer Opera  
Software ASA) <yngve@opera.com> wrote:

> I have just put my proposals about "what a secure page is" on the Wiki
>
> http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage
>
> Some may disagree with several of the suggestions, or have doubts about  
> them ever being adopted.

Well, well, well, (or perhaps not so well)

Even more bad examples shows up. This time it is Amazon's "secure"  
frontpage.

Earlier this evening it came to my attention that Amazon.com's allegedly  
secure homepage <https://www.amazon.com/ > sometimes include unsecure  
content in several locations of the page.

Curiously enough there seem to be a browsersniffing component involved; I  
was never able to observe the problem while using Firefox 1.5 or with  
Opera masking as FF  (after cookies had been cleared). I was definitely  
able to observe it with IE 6 and Opera identified as Opera.

My testing found that Amazon's secure home page served pages where:

  * The "Harry Potter" image in the "Books Bestsellers" section is often  
served from an unsecure server.
  * An external Javascript used with the "Bare Necessities" section is  
often served from an unsecure server. This also happened to several other  
sections.
  * A Flash applet advertising books (and in this particular case, adding  
insult, by my favorite author! :( )

The actual combinations varied as Amazon was cycling through variant  
content.

The Javscript case is the most serious one because the script can get full  
control of the page.

As I said, it looked like FF never was handed the unsecure content (I do  
not know why), but both IE 6 and Opera was served content requesting  
unsecure content.

A complete block of unsecure content in secure pages would have  
discouraged this kind of problem.

-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Wednesday, 16 May 2007 23:21:07 UTC