Adding the headers as protocol elements seems like an
obvious answer for the consumer, but it's only one direction.
And, I'm loathe to add something meant for consumption
by the browser unless the enduser really wants to see
the information.
I keep getting stuck on what the browser (or other consuming
of warning headers) is supposed to do with the warnings. Will
people really add banners or red warning lines around the
modified content (assuming that it really is geometrically
possible)? Keep a log of the modification events in the
same place as all other useless log files that the system
faithfully maintains?
The reverse direction, to the content publisher, noting what
transformations have taken place, well, the only reason
I've ever heard of for notification is if money is involved,
i.e., accounting. I don't think the publisher would want
to know that "the proxy inserted a photo of the consumer's
pet aardvark in place of gif 2239 on page /mumble/foo/baz.htm."
Or, is my imagination running too far afield?
Hilarie
Ian Cooper <icooper(_at_)equinix(_dot_)com> 03/26/01 02:33PM >>>
At 17:54 3/23/2001 -0700, Hilarie Orman wrote:
My comments in brackets.
Hilarie
Ian Cooper <icooper(_at_)equinix(_dot_)com> 03/23/01 09:13AM >>>
At 07:21 3/23/2001 -0800, Michael W. Condry wrote:
Intermediary services provided in this way are not
transparent: Either the content requestor or provider will
be aware that a transformation has been performed.
Did we remove the case where the access provider is the one controlling the
transformation?
[The security model will have to clarify this. "Controlling" the
transformation might be a different role than "authorizing" or
"delegating" the transformation. So the access provider may
simply be carrying out the intent of the requestor or provider.]
Also "..the content requestor.. will be aware that a transformation has
been performed". Would this be similar to the notional Warning headers
that I've never seen used in HTTP/1.1? The content consumer may have
requested that services be provided, but when do they know if the trigger
has fired and the transformation has been carried out?
[Again, the security work needs to clarify this; "awareness" might be
as little as "authorization", or as intrusive as "click here for element
transformation 'Language Translation English to Chinese' action".
Agreed that we need to do work in this area - I was trying to get some
discussion going ;-)
What I was trying to get at was the fact that a rule may not trigger for
every request a specific content consumer requests. And the "click here
for action" is rather too intrusive, perhaps. So perhaps this is a
candidate for an update to 2616 for some additional Warning header material?
This is a case where "you signed on the dotted line" doesn't work. The
user may be aware that a certain transformation *could* occur, but I think
they also need to know when it *has* occurred.
So while I agree that there needs to be some work within the security text,
I also think there's a real protocol element to it.