W3C home > Mailing lists > Public > public-xg-webid@w3.org > December 2011

Re: workaround for Opera and Safari

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 27 Dec 2011 10:47:41 +0100
Cc: foaf-protocols@lists.foaf-project.org
Message-Id: <E88DBCC8-96A2-4DDF-9831-963652AB76C4@bblfish.net>
To: WebID XG <public-xg-webid@w3.org>
> On 22 Dec 2011, at 15:30, Henry Story wrote:
>> So by now every desktop browser I have works well with WebID except Opera and Safari. Well
>> in fact they do work but one has to use the pre TLS-renegotation fix compatibility mode
>> and the server has to ask for the certificate in NEED mode. I am not sure if this is needed
>> only on OSX btw, it may be different on Windows. So what is the problem? Well the problem
>> is that in NEED mode if the client does not have a certificate or cancels the selection then
>> the web page displayed is going to be an ugly error page that would disconcert non technical
>> users. 

On 23 Dec 2011, at 20:01, Henry Story wrote:
> Ok so I now have a demo of a WebID service that works in a user friendly way with all desktop browsers. Here the issue was to get Safari and Opera to request a certificate from the user if he has one, without showing him an ugly ERROR screen if he does not or refuses.
> You can try this out now with 
>   https://foafssl.org/srv/idp?rs=http://webid.fcns.eu/
> The changes this required are listed here
>  https://dvcs.w3.org/hg/read-write-web/rev/23a4ecd7b45d
> especially see the needyLogin function in 
>  https://dvcs.w3.org/hg/read-write-web/diff/23a4ecd7b45d/src/main/resources/template/webidp/idp/util.js
> Merry Xmas,
> 	Henry

Just to recapitulate the most important part of this workaround is this simple piece of JavaScript which
can be called by the web page that does not need to be protected and that would contain

    <script src="idp/jquery.1.7.1.min.js"></script>
    <script src="idp/util.js" type="text/javascript"></script>

Then the util.js file contains the following:
 * Copyright (c) 2011 Henry Story (bblfish.net)
 * under the MIT licence defined at
 *    http://www.opensource.org/licenses/mit-license.html

function isNeedBrowser() {
    var need = false
    if ($.browser.opera)  var need = true
    var userAgent = navigator.userAgent.toString().toLowerCase();
    if ((userAgent.indexOf('safari') != -1) && !(userAgent.indexOf('chrome') != -1)) {
        need = true //we are in safari
    return need

 * Opera and Safari (on OSX at least) only serve a certificate if requested in NEED mode (as opposed to TLS WANT)
 * (looking for clear specs on this distinction). In NEED mode if the browser does not have a certificate or if
 * the client does not send one, the web page just shows an UGLY empty error page that no human would understand.
 * This is horrible user experience. Instead we therefore do the request over AJAX, and show a nicely put together
 * error message instead.
 * todo: Clearly the error message could be built using a function call
function needyLogin(){
        if (isNeedBrowser()) {
            var url = $('#login').attr('action');
            $('body').load(url+ '#wrapper',{post:'yes'},function(response, status, xhr) {
                if (status == 'error') {
                    alert('You probably don\'t have a WebID enabled Certificate. It is worth getting one.' );
                    return false
            return false
        } else return true

So what does this do? Essentially if the browser is one of the NEEDy browsers
the authentication is done via AJAX and if an error is cought because the client
did not send a certificate, then the UI experience can continue without interruption.

One could do everything I suppose like this, but the advantage the other browsers have
is that authentication can continue on web sites that do not have javascript enabled,
which I can imagine more security minded sites will like.


Social Web Architect
Received on Tuesday, 27 December 2011 09:48:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:50 UTC