W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

WebSocket treated as subresource: no HTTP auth dialogs?

From: Tobias Oberstein <tobias.oberstein@tavendo.de>
Date: Mon, 31 Oct 2011 12:11:25 -0700
To: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <634914A010D0B943A035D226786325D42D0B0D8668@EXVMBX020-12.exch020.serverdata.net>
On a different thread, Adam Barth clarified that WebSocket connections established
from JS should be treated as "subresources" in the context of the JS containing page.

As a consequence, no browser built-in dialogs should be rendered which offer
the user a chance to act upon i.e. untrusted TLS server certificates when the
WebSocket connection is via TLS ("wss").

Now, how does that translate to HTTP authentication?

What if the WS connection requires HTTP authentication? When the WS is treated
as a subresource, does that mean that no authentication dialog should be
presented to the user for that?

Note, that this is a problem only when the WS connection is to a different
host/port than the JS containing page was served from, which might be
quite common in practice.

However, should above be the case ("no auth dialog rendered"), that may come
as a surprise to some in the WS community, since all discussions for WS auth
mechanisms were always ended by: "you have any HTTP auth there if you need".

The same question applies to HTTP basic/digest auth as well as TLS client cert auth.

No dialog?
Received on Monday, 31 October 2011 19:11:56 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:36 UTC