- From: Ian Fette <ifette@google.com>
- Date: Thu, 17 Jan 2008 10:07:17 -0800
- To: public-wsc-wg@w3.org, tyler.close@hp.com
- Message-ID: <bbeaa26f0801171007u7dd5fd99u783a2ea4f344c7b8@mail.gmail.com>
My worry is that it's often not possible (or very difficult) for someone to keep http and https consistent. This includes people on shared servers, as well as people with very complicated setups. For instance, http://code.google.com takes you to Google Code, https://code.google.comtakes you to normal Google search. Could this be fixed? Maybe/probably/who-knows, but is it worth the effort? Probably not, given that we don't ever expect someone to try to access code.google.com via https. On Jan 17, 2008 10:03 AM, Thomas Roessler <tlr@w3.org> wrote: > > Section 7.2 [1] was the object of recent discussions around > ISSUE-123, noticing that the technique described in this section is > not guaranteed to work. > > I propose to add the following note to an eventual rewrite of the > section (which Tyler owes as ACTION-368): > > The technique outlined in this section is a best effort to > steer the user toward a safer interaction. There is no > guarantee that replacing the scheme in an "http" URI by > "https" leads to a URI that references a resource in any way > related to the original one. Also, when the current page > was obtained through an unsafe HTTP interaction (such as > POST), performing a GET request on a URI that was produced > in this way might negatively affect session-based web > applications. > > Tyler, can you just copy and paste this in (and possibly smoothen > the language a bit) when you do ACTION-368? > > As a side remark, I wonder if there is an authoring best practice in > here (for section 9) that suggests keeping http and https URI spaces > consistent. Thoughts? > > 1. > http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#safebar-must-have-tls > > -- > Thomas Roessler, W3C <tlr@w3.org> > >
Received on Thursday, 17 January 2008 18:07:29 UTC