On Tue, 25 Oct 2011 15:54:17 +0200, Tobias Oberstein
<tobias.oberst...@tavendo.de> wrote:
> Would the following then be appropriate behavior for browsers?
>
> User loads https://somehost.com:9000/index.html
>
> UA presents "cert for somehost:9000 not trusted .. accept ..
continue?"
> dialog.
> => That dialog is builtin, no JS involved. As today.
>
> If user continues, then index.html loads, contains JS.
>
> The JS then opens wss://somehost.com:9090
>
> UA present "cert for somehost:9090 not trusted .. accept .. continue?"
> [*] => Builtin dialog, no JS involved. Not available in browsers
today.
I believe Opera does this (if you enable websockets). We might change
this
to reject untrusted certs for websocket, though.
Does that mean Opera might just _silently_ reject untrusted certs without
giving the user a dialog to accept the cert?
Right.
That would be unfortunate IMHO. Since then there is no way to get an
acceptable user experience any longer.
I can't present a JS created notification and act accordingly, since JS
won't
be allowed to detect "invalid cert".
I can't rely on the browser rendering a builtin dialog for the user to
accept the cert.
WSS just fails silently.
How is a JS app using WSS supposed to create an acceptable user
experience?
By using a cert that isn't rejected.
btw: does Opera support >=Hybi-10,
No. -00.
and if so, how do I activate it?
Enable WebSockets in opera:config.
> If user continues, then the WSS connection succeeds. WS onopen()
> handler fires.
>
> If user does not continue, then WSS connection fails. WS onerror()
> handler fires - the latter does not give reason for failure.
>
> The JS will get onerror() fired for all reasons a) - d) above.
>
> Thus, there would be not only needed new dialog [*] for "invalid
> server cert", but also for the other reasons a) - d).
>
> In no case JS involved .. dialogs are browser builtin.
>
> Does above make sense?
No, both error and close fire.
Ok. There are different views on that I guess
http://www.ietf.org/mail-archive/web/hybi/current/msg09291.html
Seems Richard is misreading the spec.
but I - given the comment by Ian, that JS should in no case get detailed
error feedback on "invalid cert", whether onclose fires or not - honestly
do not care any longer .. it won't solve my problem anyway.
OK.
On the other hand, I think it should be decided which is the desired
behavior: fire onerror only, or fire both.
The spec clearly requires both.
--
Simon Pieters
Opera Software
