Re: AW: AW: WebSocket API: close and error events from Simon Pieters on 2011-10-25 (public-webapps@w3.org from October to December 2011)

From: Simon Pieters <simonp@opera.com>
Date: Tue, 25 Oct 2011 16:32:05 +0200
To: "Ian Hickson" <ian@hixie.ch>, "Tobias Oberstein" <tobias.oberstein@tavendo.de>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <op.v3wvzrw8idj3kv@simon-pieterss-macbook.local>

On Tue, 25 Oct 2011 15:54:17 +0200, Tobias Oberstein  
<tobias.oberstein@tavendo.de> wrote:

>> > Would the following then be appropriate behavior for browsers?
>> >
>> > User loads https://somehost.com:9000/index.html
>> >
>> > UA presents "cert for somehost:9000 not trusted .. accept ..  
>> continue?"
>> > dialog.
>> > => That dialog is builtin, no JS involved. As today.
>> >
>> > If user continues, then index.html loads, contains JS.
>> >
>> > The JS then opens wss://somehost.com:9090
>> >
>> > UA present "cert for somehost:9090 not trusted .. accept .. continue?"
>> > [*] => Builtin dialog, no JS involved. Not available in browsers  
>> today.
>>
>> I believe Opera does this (if you enable websockets). We might change  
>> this
>> to reject untrusted certs for websocket, though.
>
> Does that mean Opera might just _silently_ reject untrusted certs without
> giving the user a dialog to accept the cert?

Right.

> That would be unfortunate IMHO. Since then there is no way to get an
> acceptable user experience any longer.
>
> I can't present a JS created notification and act accordingly, since JS  
> won't
> be allowed to detect "invalid cert".
>
> I can't rely on the browser rendering a builtin dialog for the user to
> accept the cert.
>
> WSS just fails silently.
>
> How is a JS app using WSS supposed to create an acceptable user  
> experience?

By using a cert that isn't rejected.

> btw: does Opera support >=Hybi-10,

No. -00.

> and if so, how do I activate it?

Enable WebSockets in opera:config.

>> > If user continues, then the WSS connection succeeds. WS onopen()
>> > handler fires.
>> >
>> > If user does not continue, then WSS connection fails. WS onerror()
>> > handler fires - the latter does not give reason for failure.
>> >
>> > The JS will get onerror() fired for all reasons a) - d) above.
>> >
>> > Thus, there would be not only needed new dialog [*] for "invalid
>> > server cert", but also for the other reasons a) - d).
>> >
>> > In no case JS involved .. dialogs are browser builtin.
>> >
>> > Does above make sense?
>>
>> No, both error and close fire.
>
> Ok. There are different views on that I guess
>
> http://www.ietf.org/mail-archive/web/hybi/current/msg09291.html

Seems Richard is misreading the spec.

> but I - given the comment by Ian, that JS should in no case get detailed
> error feedback on "invalid cert", whether onclose fires or not - honestly
> do not care any longer .. it won't solve my problem anyway.

OK.

> On the other hand, I think it should be decided which is the desired
> behavior: fire onerror only, or fire both.

The spec clearly requires both.

-- 
Simon Pieters
Opera Software

Received on Tuesday, 25 October 2011 14:31:30 UTC