Re: TLS error handling in XMLHttpRequest

On Tue, 13 May 2008 16:49:03 +0200, Thomas Roessler <tlr@w3.org> wrote:
> the Web Security Context Working Group is, as you might know,
> working on user interactions for Web user agents when they encounter
> TLS error conditions.
>
>   http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
>
> We notice that the XMLHttpRequest Last Call Working Draft specifies
> that XMLHttpRequest can be used over both HTTP and HTTPS, but does
> not specify behavior if TLS negotiation fails for an HTTPS URI.

This would only be the case during a man in the middle attack or in case  
the server randomly generates certificates, but I suppose it deserves a  
mention nonetheless :-)


> We can see several reasonable choices for this case:
>
> - XMLHttpRequest specifies that this case is treated as a generic
>   network failure, and handled by the invoking script.  No user
>   interaction occurs, and certificate validity errors are treated as
>   hard herror conditions.

I've specified this by mentioning "TLS negotiation failure" under "In case  
of network errors" as per our brief F2F discussion on this matter:

   http://dev.w3.org/2006/webapi/XMLHttpRequest/


> (ACTION-444 in Web Security Context.)


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/

Received on Friday, 16 May 2008 08:57:15 UTC