- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 19 Sep 2007 11:53:48 +0300
- To: Yngve Nysaeter Pettersen <yngve@opera.com>
- Cc: Web Security Context Working Group WG <public-wsc-wg@w3.org>
On 2007-09-18 15:42:24 +0200, Yngve Nysaeter Pettersen wrote: >> Per ACTION-289, I've updated the editor's draft to call out explicitly that >> we do not consider it a "change of security level" if a form on an HTTPS >> site is submitted by plain HTTP. >> @@Web Security Context@@ >> Editor's Draft $Date: 2007/09/18 12:01:01 $ >> http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#change-redirects >> The issue is whether we should be covering this situation. > I think it should be covered, and that we should discourage the > practice. I know there are some harmless uses, such as submitting > a google query, but I do not think these are important enough, > and the query can be handled in a differen manner. One question is whether we'd best discourage this by way of an authoring best practice, or whether we suggest that this situation trigger a hard error. > I think most clients are already warning about HTTPS->HTTP form > submits. ... with a "don't bother me again" checkbox pre-selected, or so. > While it is not form submission as such, and may be covered by > other sections of the document, I have seen sites [1] using Flash > applets to submit HTTP POST queries from HTTPS hosted applets, > and in one case [2](August 2006), involving the Wynn Las Vegas > Hotel , *credit card* details were submitted in that fashion. > AFAIK Opera is currently the only client warning about this type > of form submission. There are a number of techniques of that kind which could be used. E.g., you could write an <img/> (or script, or iframe, or ...) element into the DOM using JavaScript, and put the credit card number into the URL. So, I'm wondering how we would frame this in a way that could actually be implemented. Cheers, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 19 September 2007 08:53:54 UTC