ACTION-567

Incorporate ACTION-509 text

State:
closed
Person:
Thomas Roessler
Due on:
February 17, 2009
Created on:
February 10, 2009
Associated Product:
wsc-xit
Related emails:
  1. Re: ACTION-509 Cross-frame scripting notes for 'Security Considerations' section (from tlr@w3.org on 2009-02-13)
  2. Re: WG update and no meeting tomorrow (from steele@adobe.com on 2009-02-10)
  3. WG update and no meeting tomorrow (from mzurko@us.ibm.com on 2009-02-10)

Related notes:

Under the browser's Same Origin policy, separately displayed webpages from
the same origin can freely read and modify each other's state. A webpage's
origin is comprised of the scheme, host and port of the URL used to
retrieve the webpage. The origin does not take into account any attributes
of the TLS session or server certificate used when retrieving a webpage.
For example, consider a user agent that has loaded two webpages from
https://www.example.com/. When the first page was retrieved, an Augmented
Assurance Certificate (AAC) was used by the TLS session. When the second
page was retrieved, a different certificate, such as a domain validated or
self-signed certificate, was used. Though the first page was retrieved
using an AAC certificate, the second page can freely read and write the
first page. Differing security presentations of the two pages may obscure
this relationship in the mind of the user.

Mary Ellen Zurko, 10 Feb 2009, 14:04:46

extend section 8.6 "Mixing Augmented Assurance and Validated Certificates" with the following paragraph:

Mary Ellen Zurko, 10 Feb 2009, 14:05:29

Display change log.

Mary Ellen Zurko <mzurko@us.ibm.com>, Chair, Thomas Roessler <tlr@w3.org>, Staff Contact
Tracker (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 567.html,v 1.1 2010/10/11 09:34:53 dom Exp $