Re: ACTION-509 Cross-frame scripting notes for "Security Considerations" section

On 2 Feb 2009, at 23:49, Mary Ellen Zurko wrote:

> Thanks Tyler. I get what you're getting at, but am struggling with  
> the text. I've moved a bit around and tried to be a bit more  
> explicit. I like this better; other opinions? :

I think either variant of the text is fine.

> Under the browser's Same Origin policy, separately displayed  
> webpages from the same origin can freely read and modify each  
> other's state. A webpage's origin is comprised of the scheme, host  
> and port of the URL used to retrieve the webpage. The origin does  
> not take into account any attributes of the TLS session or server  
> certificate used when retrieving a webpage. For example, consider a  
> user agent that has loaded two webpages from https:// 
> www.example.com/. When the first page was retrieved, an Augmented  
> Assurance Certificate (AAC) was used by the TLS session. When the  
> second page was retrieved, a different certificate, such as a domain  
> validated or self-signed certificate, was used. Though the first  
> page was retrieved using an AAC certificate, the second page can  
> freely read and write the first page. Differing security  
> presentations of the two pages may obscure this relationship in the  
> mind of the user.
>
> I would also love to close this paragraph with a line such as  
> "Future security context presentations may find better ways to relay  
> this complex information to the user in a useful fashion."

If we have an idea what that presentation could look like, we should  
have been working on it.

If we don't have that idea, then it's pointless to point at it.  Just  
my $0.02.

Received on Wednesday, 4 February 2009 21:03:59 UTC