Re: Content Transformatnion Guidelines: Last Call Working Draft ( LC-2085)

 From a quick review, section 4.2.9.3 looks vastly improved.  I'll  
solicit the WSC WG's opinions on the changed version; speaking  
personally, I'm happy with the current text.

I would like to call out a specific point in 4.2.9.2:

> Proxies must preserve security between requests for domains that are  
> not same-origin in respect of cookies and scripts.

It is probably worthwhile to call out in non-normative security  
considerations what that actually means -- namely, fairly heavy  
rewriting of scripts along the lines of what CaJa does, and rewriting  
of cookies to emulate the behavior that a browser would otherwise show.

As a final comment, in the check list at the top of section 4.9.2, the  
"other factors" laudably include:

> "the user agent has features (such as linearization or zoom) that  
> allow it to present the content unaltered;"

Given that content transformation proxies at times depend on the  
network that is used to access a resource, it might also be worthwhile  
calling out the use of a "desktop" browser over a mobile network as a  
case that proxies should take into account.

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>







On 6 Oct 2009, at 17:34, fd@w3.org wrote:

>
> Dear Thomas Roessler ,
>
> The Mobile Web Best Practices Working Group has reviewed the  
> comments you
> sent [1] on the Last Call Working Draft [2] of the Content  
> Transformation
> Guidelines 1.0 published on 1 Aug 2008. Thank you for having taken  
> the time
> to review the document and to send us comments!
>
> The Working Group's response to your comment is included below, and  
> has
> been implemented in the new version of the document available at:
> http://www.w3.org/TR/2009/WD-ct-guidelines-20091006/.
>
> Please review it carefully and let us know by email at
> public-bpwg-comments@w3.org if you agree with it or not before 6  
> November
> 2009. In case of disagreement, you are requested to provide a specific
> solution for or a path to a consensus with the Working Group. If  
> such a
> consensus cannot be achieved, you will be given the opportunity to  
> raise a
> formal objection which will then be reviewed by the Director during  
> the
> transition of this document to the next stage in the W3C  
> Recommendation
> Track.
>
> Thanks,
>
> For the Mobile Web Best Practices Working Group,
> Dominique Hazaël-Massieux
> François Daoust
> W3C Staff Contacts
>
> 1. http://www.w3.org/mid/20080829090132.GB224@iCoaster.does-not-exist.org
> 2. http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/
>
>
> =====
>
> Your comment on 4.3.6.2 HTTPS Link Re-writing:
>> Dom,
>>
>> thanks for your request for review.
>>
>> With respect to the guidelines regarding the rewriting of HTTPS
>> URIs, we notice that any such rewriting will break any use of TLS
>> for authenticating the client to the server (e.g., use of TLS client
>> certificates). Similarly, any applications on top of HTTPS that rely
>> on TLS channel bindings would detect the proxy's intervention as an
>> attack, and lead to a broken user experience; see RFC 5056 for more
>> details about channel bindings.
>>
>> We recommend that you discuss this aspect with the IETF TLS Working
>> Group.
>>
>> Regards,
>
>
> Working Group Resolution (LC-2085):
> We agree and have added text that reflects your concerns and discussed
> with the IETF TLS Working Group:
> http://www.ietf.org/mail-archive/web/tls/current/msg02968.html
>
>
> ----
>
>
>

Received on Wednesday, 14 October 2009 13:42:25 UTC