Re: Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-13

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>>>>> "Ted" == Ted Lemon <ted.lemon@xxxxxxxxxxx> writes:

    Ted> On 07/12/2015 01:59 PM, Christian Huitema wrote:
    >> My advice to implementers would be to consider the capture portal
    >> web page as fundamentally untrusted, and for example not allow it
    >> to run scripts. Then system administrators could consider "white
    >> listing" some of these pages, provided of course that the
    >> connection could be authenticated and protected through HTTPS.
    Ted> This is good advice.  If it's not specifically stated, I
    Ted> suspect it's because the authors thought it was obvious (I
    Ted> haven't read the draft in about two months, so I don't remember
    Ted> what it says about this).

My concern about this advice is that no one will implement it because it
will break portals.  Modern web pages use scripts for a lot of things.
If I were writing such a portal, I'd almost certainly use scripts for
some things and probably if I were writing it as a new app use a
client-side framework like angular where the entire thing was one
script.
So, it's great security advice, but entirely impractical.




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]