- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 16 May 2008 10:56:50 +0200
- To: "Thomas Roessler" <tlr@w3.org>, public-webapi@w3.org
- Cc: public-wsc-wg@w3.org
On Tue, 13 May 2008 16:49:03 +0200, Thomas Roessler <tlr@w3.org> wrote: > the Web Security Context Working Group is, as you might know, > working on user interactions for Web user agents when they encounter > TLS error conditions. > > http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors > > We notice that the XMLHttpRequest Last Call Working Draft specifies > that XMLHttpRequest can be used over both HTTP and HTTPS, but does > not specify behavior if TLS negotiation fails for an HTTPS URI. This would only be the case during a man in the middle attack or in case the server randomly generates certificates, but I suppose it deserves a mention nonetheless :-) > We can see several reasonable choices for this case: > > - XMLHttpRequest specifies that this case is treated as a generic > network failure, and handled by the invoking script. No user > interaction occurs, and certificate validity errors are treated as > hard herror conditions. I've specified this by mentioning "TLS negotiation failure" under "In case of network errors" as per our brief F2F discussion on this matter: http://dev.w3.org/2006/webapi/XMLHttpRequest/ > (ACTION-444 in Web Security Context.) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/
Received on Friday, 16 May 2008 08:57:15 UTC