- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 13 May 2008 16:49:03 +0200
- To: public-webapi@w3.org
- Cc: public-wsc-wg@w3.org
Hello, the Web Security Context Working Group is, as you might know, working on user interactions for Web user agents when they encounter TLS error conditions. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors We notice that the XMLHttpRequest Last Call Working Draft specifies that XMLHttpRequest can be used over both HTTP and HTTPS, but does not specify behavior if TLS negotiation fails for an HTTPS URI. We can see several reasonable choices for this case: - XMLHttpRequest specifies that this case is treated as a generic network failure, and handled by the invoking script. No user interaction occurs, and certificate validity errors are treated as hard herror conditions. - XMLHttpRequest defers to the surrounding browser's error handling, which will generally lead to user interacitons. In this case, wsc-xit will be the governing specification for the user interaction. To the best of our knowledge, most browser prompt the user, and throw an exception if the user cancels the connection. (ACTION-444 in Web Security Context.) Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 13 May 2008 14:49:41 UTC