Re: TLS error handling in XMLHttpRequest

* Thomas Roessler wrote:
>the Web Security Context Working Group is, as you might know,
>working on user interactions for Web user agents when they encounter
>TLS error conditions.
>
>  http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
>
>We notice that the XMLHttpRequest Last Call Working Draft specifies
>that XMLHttpRequest can be used over both HTTP and HTTPS, but does
>not specify behavior if TLS negotiation fails for an HTTPS URI.
>
>We can see several reasonable choices for this case:
>
>- XMLHttpRequest specifies that this case is treated as a generic
>  network failure, and handled by the invoking script.  No user
>  interaction occurs, and certificate validity errors are treated as
>  hard herror conditions.
>
>- XMLHttpRequest defers to the surrounding browser's error handling,
>  which will generally lead to user interacitons.  In this case,
>  wsc-xit will be the governing specification for the user
>  interaction.
>
>To the best of our knowledge, most browser prompt the user, and
>throw an exception if the user cancels the connection.

If you meant to make a request or suggestion, e.g. that the draft should
specify some behavior here, or would like to hear whether there is some
other behavior that might be reasonable that has not been considered, or
some other thing along those lines, it might be good to add that to the
message. If you just meant this as FYI, adding that would also be good.

I note that for this version of XHR, the request to the https site would
only be made if you loaded the HTML document from the site, so there may
already be, say, some kind of user-override in place for this to happen
at all.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Friday, 16 May 2008 02:13:21 UTC