W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: TLS error handling in XMLHttpRequest

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 16 May 2008 10:56:50 +0200
To: "Thomas Roessler" <tlr@w3.org>, public-webapi@w3.org
Cc: public-wsc-wg@w3.org
Message-ID: <op.ua8og00q64w2qv@annevk-t60.oslo.opera.com>

On Tue, 13 May 2008 16:49:03 +0200, Thomas Roessler <tlr@w3.org> wrote:
> the Web Security Context Working Group is, as you might know,
> working on user interactions for Web user agents when they encounter
> TLS error conditions.
>
>   http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
>
> We notice that the XMLHttpRequest Last Call Working Draft specifies
> that XMLHttpRequest can be used over both HTTP and HTTPS, but does
> not specify behavior if TLS negotiation fails for an HTTPS URI.

This would only be the case during a man in the middle attack or in case  
the server randomly generates certificates, but I suppose it deserves a  
mention nonetheless :-)


> We can see several reasonable choices for this case:
>
> - XMLHttpRequest specifies that this case is treated as a generic
>   network failure, and handled by the invoking script.  No user
>   interaction occurs, and certificate validity errors are treated as
>   hard herror conditions.

I've specified this by mentioning "TLS negotiation failure" under "In case  
of network errors" as per our brief F2F discussion on this matter:

   http://dev.w3.org/2006/webapi/XMLHttpRequest/


> (ACTION-444 in Web Security Context.)


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/
Received on Friday, 16 May 2008 08:57:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 16 May 2008 08:57:16 GMT