ISSUE-285: Does BPWG feel it can write Best Practices on links rewriting in the CT guidelines? Or that it cannot be a best practice?

Does BPWG feel it can write Best Practices on links rewriting in the CT guidelines? Or that it cannot be a best practice?

State:
CLOSED
Product:
Guidelines for Web Content Transformation Proxies
Raised by:
François Daoust
Opened on:
2008-12-16
Description:
The discussion on links re-writing goes on within the Content Transformation Task Force. The Task Force feels the working group as a whole should give its point of view on this before we work on potential resulting guidelines.

Here is a short attempt to summarize the issue.

Content Transformation proxies need to rewrite links on a common basis, or perhaps more precisely, they need to switch from being a "proxy" to becoming an "end point".

For instance:
- tokenization of the URIs may be performed to minimize the size of the page returned to the end user.
- when a page gets fragmented, links to subsequent pages then target the proxy as the origin server.
- HTTPS links may be rewritten to enable the possibility to transcode an HTTPS web site.

At the URI level, this means that the URI moves from:
http://[original URI]
... to something like:
http://ct-proxy.example.com/?uri=[original URI]

Security problems arise when links rewriting is performed, mostly because the origin is changed: the same-origin policy that prevents cross-site scripting attacks cannot apply anymore because the CT-proxy typically makes the Web look as if there was one origin.

The list of problems also includes cookies, the change of referer, the use of client certificates, and probably others.

Problems occur whether rewritten links are in HTTP or in HTTPS, with a specific emphasis in the case of HTTPS.

One possible solution is for the CT-proxy to suppress scripting from the content it transforms when it rewrites links.

But the question at stake is rather: is there any "best" practice that can be recommended here? Does the group rather consider that there is by essence no best practice to recommend in that situation, that links rewriting cannot be condoned as a best practice?
Related Actions Items:
No related actions
Related emails:
  1. [minutes] Tuesday 16 June 2009 Teleconf (from fd@w3.org on 2009-06-16)
  2. Re: [agenda] BPWG Teleconferece 2009-06-16 (from casays@yahoo.com on 2009-06-15)
  3. [minutes] Tuesday 7 April 2009 (from fd@w3.org on 2009-04-07)
  4. [minutes] F2F Day 2 - 26 March 2009 - Content Transformation Guidelines (from fd@w3.org on 2009-03-30)
  5. Re: [minutes] Tuesday 13 January 2009 (from Tom.Hume@futureplatforms.com on 2009-01-14)
  6. Re: [minutes] Tuesday 13 January 2009 (from passani@eunet.no on 2009-01-14)
  7. [minutes] Tuesday 13 January 2009 (from fd@w3.org on 2009-01-13)
  8. ISSUE-285: Does BPWG feel it can write Best Practices on links rewriting in the CT guidelines? Or that it cannot be a best practice? (from fd@w3.org on 2008-12-16)
  9. [minutes] CT call 16 December 2008 (from fd@w3.org on 2008-12-16)

Related notes:

No additional notes.

Display change log ATOM feed

Jo Rabin <jo@linguafranca.org>, Daniel Appelquist <daniel.appelquist@vodafone.com>, Chairs, Dominique Hazaël-Massieux <dom@w3.org>, François Daoust <fd@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 285.html,v 1.1 2011/01/10 15:19:48 dom Exp $