- From: Mary Ellen Zurko <mzurko@us.ibm.com>
- Date: Mon, 2 Feb 2009 17:49:27 -0500
- To: tyler.close@hp.com
- Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
- Message-ID: <OFB8C99E7D.480EFD7E-ON85257551.007C8CDE-85257551.007D60A5@LocalDomain>
Thanks Tyler. I get what you're getting at, but am struggling with the text. I've moved a bit around and tried to be a bit more explicit. I like this better; other opinions? : Under the browser's Same Origin policy, separately displayed webpages from the same origin can freely read and modify each other's state. A webpage's origin is comprised of the scheme, host and port of the URL used to retrieve the webpage. The origin does not take into account any attributes of the TLS session or server certificate used when retrieving a webpage. For example, consider a user agent that has loaded two webpages from https://www.example.com/. When the first page was retrieved, an Augmented Assurance Certificate (AAC) was used by the TLS session. When the second page was retrieved, a different certificate, such as a domain validated or self-signed certificate, was used. Though the first page was retrieved using an AAC certificate, the second page can freely read and write the first page. Differing security presentations of the two pages may obscure this relationship in the mind of the user. I would also love to close this paragraph with a line such as "Future security context presentations may find better ways to relay this complex information to the user in a useful fashion." From: "Close, Tyler J." <tyler.close@hp.com> To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org> Date: 01/28/2009 12:39 PM Subject: ACTION-509 Cross-frame scripting notes for "Security Considerations" section Sent by: public-wsc-wg-request@w3.org I recommend we extend section 8.6 "Mixing Augmented Assurance and Validated Certificates" with the following paragraph: """ Under the browser's Same Origin policy, separately displayed webpages from the same origin can freely read and modify each other's state. A webpage's origin is comprised of the scheme, host and port of the URL used to retrieve the webpage. The origin does not take into account any attributes of the TLS session or server certificate used when retrieving a webpage. This document recommends presentation of the security attributes of the TLS session used to retrieve a webpage. If separate webpages are retrieved using separate TLS sessions, their security presentations may differ, even though neither page can be trusted any more than the other. For example, consider a user agent that has loaded two webpages from https://www.example.com/. When the first page was retrieved, an Augmented Assurance Certificate (AAC) was used by the TLS session. When the second page was retrieved, a different certificate, such as a domain validated or self-signed certificate, was used. Though the first page was retrieved using an AAC certificate, it should not be trusted any more than the second page, since the second page can freely read and write the first page. Differing security presentations of the two pages may obscur this relationship in the mind of the user. """ This email completes ACTION-509. --Tyler
Received on Monday, 2 February 2009 22:50:10 UTC