W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2009

ACTION-575: behavior of current spec for dependent content

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 8 Apr 2009 18:24:33 +0200
Message-Id: <A35FB032-21B0-49A4-93B0-64F6F78DDEE9@w3.org>
To: WSC WG public <public-wsc-wg@w3.org>
On today's call, we were talking about a Web site (say, http://a.example.com/) 
  that includes an image tag pointing elsewhere (say, https://b.example.com/) 
.  Assume that b.example.com actually has a problem with its  
certificate.

The action I took was to have a careful look at section 5.4.1 and see  
what happens in this case.  The section is framed in terms of "HTTP  
connections" (not the cleanest wording), and on its face applies to  
both top-level resources and anything dependent.

That suggests that we might fixes along the following lines:

1. Rephrase from "HTTP connection" to "HTTP transaction".

2. At the very least suggest that user agents MAY also choose to not  
interact at all and treat the error condition as if it was a network  
error -- this change is actually needed to accommodate the behavior  
that we negotiated with Webapps concerning same-origin XMLHttpRequests.

I would actually lean toward saying that they SHOULD go down the  
network error path for dependent resources, but would want implementor  
feed-back before taking that change into account.

As a memo to myself, when we come to changes here, it might be  
worthwhile to revisit the newly added security consideration in 8.7.

Cheers,
--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 8 April 2009 16:24:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:23 UTC