AW: AW: WebSocket API: close and error events from Tobias Oberstein on 2011-10-25 (public-webapps@w3.org from October to December 2011)

From: Tobias Oberstein <tobias.oberstein@tavendo.de>
Date: Tue, 25 Oct 2011 06:54:17 -0700
To: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>
CC: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <634914A010D0B943A035D226786325D42D0B0371CC@EXVMBX020-12.exch020.serverdata.net>

> > Would the following then be appropriate behavior for browsers?
> >
> > User loads https://somehost.com:9000/index.html

> >
> > UA presents "cert for somehost:9000 not trusted .. accept .. continue?"
> > dialog.
> > => That dialog is builtin, no JS involved. As today.
> >
> > If user continues, then index.html loads, contains JS.
> >
> > The JS then opens wss://somehost.com:9090
> >
> > UA present "cert for somehost:9090 not trusted .. accept .. continue?"
> > [*] => Builtin dialog, no JS involved. Not available in browsers today.
> 
> I believe Opera does this (if you enable websockets). We might change this
> to reject untrusted certs for websocket, though.

Does that mean Opera might just _silently_ reject untrusted certs without
giving the user a dialog to accept the cert?

That would be unfortunate IMHO. Since then there is no way to get an
acceptable user experience any longer.

I can't present a JS created notification and act accordingly, since JS won't
be allowed to detect "invalid cert".

I can't rely on the browser rendering a builtin dialog for the user to
accept the cert.

WSS just fails silently.

How is a JS app using WSS supposed to create an acceptable user experience?

btw: does Opera support >=Hybi-10, and if so, how do I activate it?

> > If user continues, then the WSS connection succeeds. WS onopen()
> > handler fires.
> >
> > If user does not continue, then WSS connection fails. WS onerror()
> > handler fires - the latter does not give reason for failure.
> >
> > The JS will get onerror() fired for all reasons a) - d) above.
> >
> > Thus, there would be not only needed new dialog [*] for "invalid
> > server cert", but also for the other reasons a) - d).
> >
> > In no case JS involved .. dialogs are browser builtin.
> >
> > Does above make sense?
> 
> No, both error and close fire.

Ok. There are different views on that I guess

http://www.ietf.org/mail-archive/web/hybi/current/msg09291.html


but I - given the comment by Ian, that JS should in no case get detailed
error feedback on "invalid cert", whether onclose fires or not - honestly
do not care any longer .. it won't solve my problem anyway.

On the other hand, I think it should be decided which is the desired
behavior: fire onerror only, or fire both.

Received on Tuesday, 25 October 2011 13:54:49 UTC