"Ted" == Ted Lemon <ted(_dot_)lemon(_at_)nominum(_dot_)com> writes:
Ted> On 07/12/2015 01:59 PM, Christian Huitema wrote:
>> My advice to implementers would be to consider the capture portal
>> web page as fundamentally untrusted, and for example not allow it
>> to run scripts. Then system administrators could consider "white
>> listing" some of these pages, provided of course that the
>> connection could be authenticated and protected through HTTPS.
Ted> This is good advice. If it's not specifically stated, I
Ted> suspect it's because the authors thought it was obvious (I
Ted> haven't read the draft in about two months, so I don't remember
Ted> what it says about this).
My concern about this advice is that no one will implement it because it
will break portals. Modern web pages use scripts for a lot of things.
If I were writing such a portal, I'd almost certainly use scripts for
some things and probably if I were writing it as a new app use a
client-side framework like angular where the entire thing was one
script.
So, it's great security advice, but entirely impractical.