- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 8 Apr 2009 18:24:33 +0200
- To: WSC WG public <public-wsc-wg@w3.org>
- Message-Id: <A35FB032-21B0-49A4-93B0-64F6F78DDEE9@w3.org>
On today's call, we were talking about a Web site (say, http://a.example.com/) that includes an image tag pointing elsewhere (say, https://b.example.com/) . Assume that b.example.com actually has a problem with its certificate. The action I took was to have a careful look at section 5.4.1 and see what happens in this case. The section is framed in terms of "HTTP connections" (not the cleanest wording), and on its face applies to both top-level resources and anything dependent. That suggests that we might fixes along the following lines: 1. Rephrase from "HTTP connection" to "HTTP transaction". 2. At the very least suggest that user agents MAY also choose to not interact at all and treat the error condition as if it was a network error -- this change is actually needed to accommodate the behavior that we negotiated with Webapps concerning same-origin XMLHttpRequests. I would actually lean toward saying that they SHOULD go down the network error path for dependent resources, but would want implementor feed-back before taking that change into account. As a memo to myself, when we come to changes here, it might be worthwhile to revisit the newly added security consideration in 8.7. Cheers, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 8 April 2009 16:24:46 UTC