- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 16 May 2008 04:02:40 +0200
- To: Thomas Roessler <tlr@w3.org>
- Cc: www-archive@w3.org
* Thomas Roessler wrote: >the Web Security Context Working Group is, as you might know, >working on user interactions for Web user agents when they encounter >TLS error conditions. > > http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors > >We notice that the XMLHttpRequest Last Call Working Draft specifies >that XMLHttpRequest can be used over both HTTP and HTTPS, but does >not specify behavior if TLS negotiation fails for an HTTPS URI. > >We can see several reasonable choices for this case: > >- XMLHttpRequest specifies that this case is treated as a generic > network failure, and handled by the invoking script. No user > interaction occurs, and certificate validity errors are treated as > hard herror conditions. > >- XMLHttpRequest defers to the surrounding browser's error handling, > which will generally lead to user interacitons. In this case, > wsc-xit will be the governing specification for the user > interaction. > >To the best of our knowledge, most browser prompt the user, and >throw an exception if the user cancels the connection. If you meant to make a request or suggestion, e.g. that the draft should specify some behavior here, or would like to hear whether there is some other behavior that might be reasonable that has not been considered, or some other thing along those lines, it might be good to add that to the message. If you just meant this as FYI, adding that would also be good. I note that for this version of XHR, the request to the https site would only be made if you loaded the HTML document from the site, so there may already be, say, some kind of user-override in place for this to happen at all. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 16 May 2008 02:13:21 UTC