- From: Yngve Nysaeter Pettersen <yngve@opera.com>
- Date: Tue, 18 Sep 2007 15:42:24 +0200
- To: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
On Tue, 18 Sep 2007 14:04:14 +0200, Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org> wrote: > > ISSUE-107: Should there be any recommendations for https->http form > submissions? [Techniques] > > http://www.w3.org/2006/WSC/track/issues/ > > Raised by: Thomas Roessler > On product: Techniques > > Per ACTION-289, I've updated the editor's draft to call out explicitly > that we do not consider it a "change of security level" if a form on an > HTTPS site is submitted by plain HTTP. > > @@Web Security Context@@ > Editor's Draft $Date: 2007/09/18 12:01:01 $ > http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#change-redirects > > The issue is whether we should be covering this situation. I think it should be covered, and that we should discourage the practice. I know there are some harmless uses, such as submitting a google query, but I do not think these are important enough, and the query can be handled in a differen manner. I think most clients are already warning about HTTPS->HTTP form submits. While it is not form submission as such, and may be covered by other sections of the document, I have seen sites [1] using Flash applets to submit HTTP POST queries from HTTPS hosted applets, and in one case [2](August 2006), involving the Wynn Las Vegas Hotel , *credit card* details were submitted in that fashion. AFAIK Opera is currently the only client warning about this type of form submission. [1] Example: https://www.beatport.com/ [2] Hotel "Alpha": http://my.opera.com/yngve/blog/show.dml/382945 -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Tuesday, 18 September 2007 13:42:40 UTC