NEED/WANT TLS mode & JavaScript from Henry Story on 2013-11-03 (public-rdfjs@w3.org from November 2013)

From: Henry Story <henry.story@bblfish.net>
Date: Sun, 3 Nov 2013 12:48:59 +0100
To: Read-Write-Web <public-rww@w3.org>, public-webid WebID Group <public-webid@w3.org>, public-rdfjs@w3.org
Message-Id: <A0BD8808-9C8C-4B8D-80D9-981E4AAD85C7@bblfish.net>

I think I have just noticed that Firefox and Chrome under OSX only return
the client certificate to the JS when asked by the browser in NEED mode.
The same browsers will ask the client for a certificate in WANT mode when
not requested by a JS XMLHTTP Request call.

This is somewhat related to ISSUE-60 "HTTP Auth Header for WebID"
http://www.w3.org/2005/Incubator/webid/track/issues/60

Except in this case I am able to decide if the request comes from 
a JS when using RDFLib.js because it sends the header
 
  X-Requested-With: XMLHttpRequest

Note that the browser is not  able to tell the server
if the client has a WebID certificate or not so that the
solution in ISSUE-60 would not be relevant here.

Also note that requesting a certificate in NEED mode is not
a problem when working with JS because JS can catch exceptions
and continue working correctly.

Currently my algorithm to choose between requesting a client certificate
renegotiation in WANT or NEED mode is the following:

  def must(req: RequestHeader): Boolean =  {
    req.headers.get("User-Agent").map{ ua =>
      val agent = agentParser.parse(ua)
      import net.sf.uadetector.UserAgentFamily._
      val family = agent.getFamily()
      val res = (family == CURL || family == JAVA || family == SAFARI || family == OPERA ||
        req.headers.get("X-Requested-With").map(_.trim.equalsIgnoreCase("XMLHttpRequest")).getOrElse(false))
      res
    }.getOrElse(false)
  }

Should we make the X-Requested-By header one that all JS libs send by default when
making a request? This would help. Or is there something else one could use? 
For remote requests there are a number of CORS headers that are added by the
browser to the request, but it does not seem to be the case for requests that
do not need CORS security.

Still the sad thing about requiring NEED mode for JS is that this prevents
the server from describing the reasons of the connection failure at the 
HTTP level.

Is this a bug of JS?

Henry


Social Web Architect
http://bblfish.net/

Received on Sunday, 3 November 2013 11:49:30 UTC