- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 14 Oct 2009 15:42:16 +0200
- To: fd@w3.org
- Cc: public-bpwg-comments@w3.org, Mary_Ellen_Zurko@notesdev.ibm.com, public-wsc-wg@w3.org
From a quick review, section 4.2.9.3 looks vastly improved. I'll solicit the WSC WG's opinions on the changed version; speaking personally, I'm happy with the current text. I would like to call out a specific point in 4.2.9.2: > Proxies must preserve security between requests for domains that are > not same-origin in respect of cookies and scripts. It is probably worthwhile to call out in non-normative security considerations what that actually means -- namely, fairly heavy rewriting of scripts along the lines of what CaJa does, and rewriting of cookies to emulate the behavior that a browser would otherwise show. As a final comment, in the check list at the top of section 4.9.2, the "other factors" laudably include: > "the user agent has features (such as linearization or zoom) that > allow it to present the content unaltered;" Given that content transformation proxies at times depend on the network that is used to access a resource, it might also be worthwhile calling out the use of a "desktop" browser over a mobile network as a case that proxies should take into account. Regards, -- Thomas Roessler, W3C <tlr@w3.org> On 6 Oct 2009, at 17:34, fd@w3.org wrote: > > Dear Thomas Roessler , > > The Mobile Web Best Practices Working Group has reviewed the > comments you > sent [1] on the Last Call Working Draft [2] of the Content > Transformation > Guidelines 1.0 published on 1 Aug 2008. Thank you for having taken > the time > to review the document and to send us comments! > > The Working Group's response to your comment is included below, and > has > been implemented in the new version of the document available at: > http://www.w3.org/TR/2009/WD-ct-guidelines-20091006/. > > Please review it carefully and let us know by email at > public-bpwg-comments@w3.org if you agree with it or not before 6 > November > 2009. In case of disagreement, you are requested to provide a specific > solution for or a path to a consensus with the Working Group. If > such a > consensus cannot be achieved, you will be given the opportunity to > raise a > formal objection which will then be reviewed by the Director during > the > transition of this document to the next stage in the W3C > Recommendation > Track. > > Thanks, > > For the Mobile Web Best Practices Working Group, > Dominique Hazaël-Massieux > François Daoust > W3C Staff Contacts > > 1. http://www.w3.org/mid/20080829090132.GB224@iCoaster.does-not-exist.org > 2. http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/ > > > ===== > > Your comment on 4.3.6.2 HTTPS Link Re-writing: >> Dom, >> >> thanks for your request for review. >> >> With respect to the guidelines regarding the rewriting of HTTPS >> URIs, we notice that any such rewriting will break any use of TLS >> for authenticating the client to the server (e.g., use of TLS client >> certificates). Similarly, any applications on top of HTTPS that rely >> on TLS channel bindings would detect the proxy's intervention as an >> attack, and lead to a broken user experience; see RFC 5056 for more >> details about channel bindings. >> >> We recommend that you discuss this aspect with the IETF TLS Working >> Group. >> >> Regards, > > > Working Group Resolution (LC-2085): > We agree and have added text that reflects your concerns and discussed > with the IETF TLS Working Group: > http://www.ietf.org/mail-archive/web/tls/current/msg02968.html > > > ---- > > >
Received on Wednesday, 14 October 2009 13:42:25 UTC