W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: TLS error handling in XMLHttpRequest

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 16 May 2008 10:56:50 +0200
To: "Thomas Roessler" <tlr@w3.org>, public-webapi@w3.org
Cc: public-wsc-wg@w3.org
Message-ID: <op.ua8og00q64w2qv@annevk-t60.oslo.opera.com>

On Tue, 13 May 2008 16:49:03 +0200, Thomas Roessler <tlr@w3.org> wrote:
> the Web Security Context Working Group is, as you might know,
> working on user interactions for Web user agents when they encounter
> TLS error conditions.
>   http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
> We notice that the XMLHttpRequest Last Call Working Draft specifies
> that XMLHttpRequest can be used over both HTTP and HTTPS, but does
> not specify behavior if TLS negotiation fails for an HTTPS URI.

This would only be the case during a man in the middle attack or in case  
the server randomly generates certificates, but I suppose it deserves a  
mention nonetheless :-)

> We can see several reasonable choices for this case:
> - XMLHttpRequest specifies that this case is treated as a generic
>   network failure, and handled by the invoking script.  No user
>   interaction occurs, and certificate validity errors are treated as
>   hard herror conditions.

I've specified this by mentioning "TLS negotiation failure" under "In case  
of network errors" as per our brief F2F discussion on this matter:


> (ACTION-444 in Web Security Context.)

Anne van Kesteren
Received on Friday, 16 May 2008 08:57:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:26 UTC