TLS error handling in XMLHttpRequest from Thomas Roessler on 2008-05-13 (public-webapi@w3.org from May 2008)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 13 May 2008 16:49:03 +0200
To: public-webapi@w3.org
Cc: public-wsc-wg@w3.org
Message-ID: <20080513144902.GK181@iCoaster.does-not-exist.org>

Hello,

the Web Security Context Working Group is, as you might know,
working on user interactions for Web user agents when they encounter
TLS error conditions.

  http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors

We notice that the XMLHttpRequest Last Call Working Draft specifies
that XMLHttpRequest can be used over both HTTP and HTTPS, but does
not specify behavior if TLS negotiation fails for an HTTPS URI.

We can see several reasonable choices for this case:

- XMLHttpRequest specifies that this case is treated as a generic
  network failure, and handled by the invoking script.  No user
  interaction occurs, and certificate validity errors are treated as
  hard herror conditions.

- XMLHttpRequest defers to the surrounding browser's error handling,
  which will generally lead to user interacitons.  In this case,
  wsc-xit will be the governing specification for the user
  interaction.

To the best of our knowledge, most browser prompt the user, and
throw an exception if the user cancels the connection.

(ACTION-444 in Web Security Context.)

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 13 May 2008 14:49:41 UTC