- From: Joe Steele <steele@adobe.com>
- Date: Wed, 7 Apr 2010 09:57:41 -0700
- To: Thomas Roessler <tlr@w3.org>
- CC: WSC WG public <public-wsc-wg@w3.org>
- Message-ID: <101FAFA5-04E3-483B-ABBF-918EC3C5CDA6@adobe.com>
For context - the comment from "timeless" with additional comment from Mez: **1** > > [Definition: A Web page is called TLS-secured if the top-level > resource and all other resources that can affect or control the > page's content and presentation have been retrieved through strongly > TLS protected HTTP transactions. ] > > If the user adds content, this isn't content that was retrieved via > TLS and it does affect the page's content.... > This would also apply to HTML5 storage concepts. I don't understand this point. In web applications I am familiar with, user content served up in the web application is served up (retrieved through) via TLS along with the rest of the web application. Anyone else understand this one? This seems to be an issue with the word "retrieved". Is content that is not coming from a remote site considered to be "retrieved"? There are two cases mentioned: 1. user generated content -- I think this content is clearly not an issue if the web page they are being entered into was retrieved over strong-TLS HTTP. 2. locally stored content -- This is a bit more murky, since unprotected or weakly-protected HTTP content could potentially have modified this content. However even if the user agent partitions access to local storage by whether the access attempt is coming from a strongly-protected HTTP web page or not, this content is still subject to local manipulation. This applies even to cached data from previous sessions. I think we should tighten the definition to only refer to content that is retrieved remotely, not locally stored content, as otherwise no web page that accesses locally stored content can really be considered strongly-TLS protected. And locally stored content seems to be outside the scope of this document. I would propose this change to paragraph 1 in section 5.3: If a given Web page consists of a single resource only, then all content <change>retrieved through an HTTP transaction</change> that the user interacts with has security properties derived from the HTTP transaction used to retrieve the content. And similar changes to the two following definitions: [Definition: A Web page is called TLS-secured if the top-level resource and all other resources that can affect or control the page's content and presentation <change>and are retrieved through an HTTP transaction</change> have been retrieved through strongly TLS protected HTTP transactions. ] [Definition: A Web page is called mixed content if the top-level resource was retrieved through a strongly TLS protected HTTP transaction, but some dependent resources were <change>retrieved through a weakly protected or unprotected HTTP transaction</change>] Thoughts? Joe On Apr 7, 2010, at 3:36 AM, Thomas Roessler wrote: Joe, at last week's call, you accepted ACTION-640 to propose a clarification to the interaction model in wsc-ui to deal with item **1** in timeless' comments. I don't see any trace of that suggestion -- what am I missing? Thanks, -- Thomas Roessler, W3C <tlr@w3.org<mailto:tlr@w3.org>>
Received on Wednesday, 7 April 2010 18:31:13 UTC