[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [wsrp-wsia] [change request #139] Add UpdateResponse.isSecure ?
We should help ensure that a getMarkup() following a performInteraction() always uses secure if the action was over https. This allows a "your credit card transaction will be processed" to be securely displayed to the user. Otherwise, it is just too easy for an attacker to spoof a "invalid credit card - please type number again" message, as users may not notice the transition from secure to insecure. A portlet can more safely switch by adding insecure (http) action and render URLs to a secure (https) page/fragment, so I think this "feature" is somewhat questionable. regards, Andre -----Original Message----- From: Rich Thompson [mailto:richt2@us.ibm.com] Sent: 12 February 2003 16:47 To: wsrp-wsia@lists.oasis-open.org Subject: [wsrp-wsia] [change request #139] Add UpdateResponse.isSecure? Document: Spec Section: 6.1.13 Page/Line: 34/32 Requested by: Mike Freedman Old text: New text: [O] boolean isSecure Reasoning: Don't we need a way for a producer to convert from http/https between an action and a subsequent render? I.e. submit a form securely with a credit card number but the resulting render is back in unsecure mode. ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC