On Tue, 13 May 2008 16:49:03 +0200, Thomas Roessler <[EMAIL PROTECTED]> wrote:
the Web Security Context Working Group is, as you might know,
working on user interactions for Web user agents when they encounter
TLS error conditions.
http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
We notice that the XMLHttpRequest Last Call Working Draft specifies
that XMLHttpRequest can be used over both HTTP and HTTPS, but does
not specify behavior if TLS negotiation fails for an HTTPS URI.
This would only be the case during a man in the middle attack or in case
the server randomly generates certificates, but I suppose it deserves a
mention nonetheless :-)
We can see several reasonable choices for this case:
- XMLHttpRequest specifies that this case is treated as a generic
network failure, and handled by the invoking script. No user
interaction occurs, and certificate validity errors are treated as
hard herror conditions.
I've specified this by mentioning "TLS negotiation failure" under "In case
of network errors" as per our brief F2F discussion on this matter:
http://dev.w3.org/2006/webapi/XMLHttpRequest/
(ACTION-444 in Web Security Context.)
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/
