Skip to content
Permalink
Browse files

MIX: Stop throwing exceptions for WebSockets.

  • Loading branch information...
mikewest committed Jan 14, 2015
1 parent 58b507b commit f2730ad4e5125a574bc885883542e57da99cc6c3
Showing with 92 additions and 46 deletions.
  1. +52 −30 specs/mixedcontent/index.html
  2. +40 −16 specs/mixedcontent/index.src.html
@@ -70,7 +70,7 @@
<h1 class="p-name no-ref" id="title">Mixed Content</h1>

<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft,
<time class="dt-updated" datetime="2015-01-12">12 January 2015</time></span></h2>
<time class="dt-updated" datetime="2015-01-14">14 January 2015</time></span></h2>

<div data-fill-with="spec-metadata">
<dl>
@@ -472,8 +472,8 @@ <h3 class="heading settled" data-level="2.1" id="terms-defined-here"><span class


<dd>
Given a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code> <var>A</var>, the <strong>embedding
document</strong> of <var>A</var> is the <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code>
Given a <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/html5/dom.html#document">Document</a></code> <var>A</var>, the <strong>embedding
document</strong> of <var>A</var> is the <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/html5/dom.html#document">Document</a></code>
<a data-link-type="dfn" href="http://www.w3.org/TR/html5/#browsing-context-nested-through" title="nested through">through which</a> <var>A</var>’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/#browsing-context" title="browsing context">browsing
context</a> is nested.
</dd>
@@ -685,7 +685,7 @@ <h3 class="heading settled" data-level="3.2" id="category-blockable"><span class
<p>Any resource that isn’t <a data-link-type="dfn" href="#optionally_blockable-content">optionally-blockable</a> is
<dfn data-dfn-type="dfn" data-local-title="blockable" data-noexport="" id="blockable-content" title="blockable content">blockable
content<a class="self-link" href="#blockable-content"></a></dfn>. Typical examples of this kind of content include scripts,
<a data-link-type="dfn" href="http://www.w3.org/TR/html5/#plugin">plugin</a> data, data requested via XMLHttpRequest, and so on. Every
<a data-link-type="dfn" href="http://www.w3.org/TR/html5/#plugin">plugin</a> data, data requested via <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/XMLHttpRequest/#interface-xmlhttprequest">XMLHttpRequest</a></code>, and so on. Every
<a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-context">request context</a> that is not <a data-link-type="dfn" href="#optionally_blockable-content">optionally-blockable</a> is a
<dfn data-dfn-type="dfn" data-noexport="" id="blockable-request-context">blockable request context<a class="self-link" href="#blockable-request-context"></a></dfn>. This explicitly includes any contexts
defined after publication of this document.</p>
@@ -719,7 +719,7 @@ <h2 class="heading settled" data-level="4" id="strict-checking"><span class="sec
<a data-section="" href="#requirements-user-controls">§7.3 User Controls</a>.</p>


<p>To this end, <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code> objects and <a data-link-type="dfn" href="http://www.w3.org/TR/html5/#browsing-context">browsing contexts</a> have a
<p>To this end, <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/html5/dom.html#document">Document</a></code> objects and <a data-link-type="dfn" href="http://www.w3.org/TR/html5/#browsing-context">browsing contexts</a> have a
<dfn data-dfn-type="dfn" data-noexport="" id="strict-mixed-content-checking-flag">strict mixed content checking flag<a class="self-link" href="#strict-mixed-content-checking-flag"></a></dfn> which is set to
<code>false</code> unless otherwise specified. This flag is checked in both
<a data-section="" href="#should-block-fetch">§5.2
@@ -728,11 +728,11 @@ <h2 class="heading settled" data-level="4" id="strict-checking"><span class="sec
Should response to request be blocked as mixed
content?
</a> to determine whether
the <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code> is in <dfn data-dfn-type="dfn" data-noexport="" id="strict-mode">strict mode<a class="self-link" href="#strict-mode"></a></dfn>.</p>
the <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/html5/dom.html#document">Document</a></code> is in <dfn data-dfn-type="dfn" data-noexport="" id="strict-mode">strict mode<a class="self-link" href="#strict-mode"></a></dfn>.</p>


<div class="example">
A <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code> may opt itself into strict mode by either delivering a
A <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/html5/dom.html#document">Document</a></code> may opt itself into strict mode by either delivering a
<code>Content-Security-Policy</code> HTTP header, like:


@@ -761,7 +761,7 @@ <h2 class="heading settled" data-level="4" id="strict-checking"><span class="sec
<h3 class="heading settled" data-level="4.1" id="strict-effects"><span class="secno">4.1. </span><span class="content">Effects</span><a class="self-link" href="#strict-effects"></a></h3>


<p>If a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="#strict-mixed-content-checking-flag">strict mixed content checking flag</a> is set to
<p>If a <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="#strict-mixed-content-checking-flag">strict mixed content checking flag</a> is set to
<code>true</code>, the user agent MUST:</p>


@@ -804,7 +804,7 @@ <h3 class="heading settled" data-level="4.1" id="strict-effects"><span class="se


<li>
ensure that these requirements are applied to any <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code> in a
ensure that these requirements are applied to any <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/html5/dom.html#document">Document</a></code> in a
<a data-link-type="dfn" href="http://www.w3.org/TR/html5/#nested-browsing-context">nested browsing context</a>, as described in <a data-section="" href="#strict-nesting">§4.3 Inheriting an opt-in</a>.
</li>

@@ -815,7 +815,7 @@ <h3 class="heading settled" data-level="4.1" id="strict-effects"><span class="se
<h3 class="heading settled" data-level="4.2" id="strict-opt-in"><span class="secno">4.2. </span><span class="content">Opting-in</span><a class="self-link" href="#strict-opt-in"></a></h3>


<p>Authors may opt a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code> into strict mixed content checking via a
<p>Authors may opt a <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/html5/dom.html#document">Document</a></code> into strict mixed content checking via a
<dfn data-dfn-type="dfn" data-noexport="" id="strict_mixed_content_checking">strict-mixed-content-checking<a class="self-link" href="#strict_mixed_content_checking"></a></dfn>
Content Security Policy directive <a data-biblio-type="informative" data-link-type="biblio" href="#biblio-csp" title="CSP">[CSP]</a>, defined via the following ABNF
grammar.</p>
@@ -844,7 +844,7 @@ <h3 class="heading settled" data-level="4.2" id="strict-opt-in"><span class="sec
<h3 class="heading settled" data-level="4.3" id="strict-nesting"><span class="secno">4.3. </span><span class="content">Inheriting an opt-in</span><a class="self-link" href="#strict-nesting"></a></h3>


<p>If a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="#strict-mixed-content-checking-flag">strict mixed content checking flag</a> is set, the user
<p>If a <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="#strict-mixed-content-checking-flag">strict mixed content checking flag</a> is set, the user
agent MUST ensure that all <a data-link-type="dfn" href="http://www.w3.org/TR/html5/#nested-browsing-context">nested browsing contexts</a> inherit the setting
in the following ways:</p>

@@ -1261,14 +1261,35 @@ <h3 class="heading settled" data-level="5.3" id="should-block-response"><span cl
<h2 class="heading settled" data-level="6" id="websockets-integration"><span class="secno">6. </span><span class="content">Modifications to WebSockets</span><a class="self-link" href="#websockets-integration"></a></h2>


<p>The <a href="http://www.w3.org/TR/2012/CR-websockets-20120920/#the-websocket-interface"><code>WebSocket()</code>
<p>The <a href="http://www.w3.org/TR/websockets/#the-websocket-interface"><code>WebSocket()</code>
constructor algorithm</a> <a data-biblio-type="normative" data-link-type="biblio" href="#biblio-websockets" title="WEBSOCKETS">[WEBSOCKETS]</a> is modified as follows:</p>


<ul>

<li>
Replace Step 2 with the following steps:
Remove the current step 2.



<ol>
</ol>


</li>


</ul>


<p>The <a href="http://tools.ietf.org/html/rfc6455#section-4.1">Establish a
WebSocket Connection algorithm</a> <a data-biblio-type="normative" data-link-type="biblio" href="#biblio-rfc6455" title="RFC6455">[RFC6455]</a> is modified as follows:</p>


<ul>

<li>
After the current step 1, perform the following step:


<ol>
@@ -1278,9 +1299,11 @@ <h2 class="heading settled" data-level="6" id="websockets-integration"><span cla
<a data-section="" href="#categorize-settings-object">§5.1
Does settings object restrict mixed content?
</a> returns <code>Restricts Mixed
Content</code> when applied to <var>entry script</var>’s
Content</code> when applied to <var>client</var>’s <var>entry
script</var>’s
<a data-link-type="dfn" href="http://www.w3.org/TR/html5/#relevant-settings-object-for-a-script" title="relevant settings object for a script">relevant settings
object</a>’s, then throw a <code>SecurityError</code> exception.
object</a>’s, then the client MUST <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6455#section-7.1.7" title="fail the WebSocket connection">fail the WebSocket
connection</a> and abort the connection <a data-biblio-type="normative" data-link-type="biblio" href="#biblio-rfc6455" title="RFC6455">[RFC6455]</a>.
</li>


@@ -1289,28 +1312,18 @@ <h2 class="heading settled" data-level="6" id="websockets-integration"><span cla

</li>


</ul>


<p>The <a href="http://tools.ietf.org/html/rfc6455#section-4.1">Establish a
WebSocket Connection algorithm</a> <a data-biblio-type="normative" data-link-type="biblio" href="#biblio-rfc6455" title="RFC6455">[RFC6455]</a> is modified as follows:</p>


<ul>

<li>
After step 5, perform the following step:
After the current step 5, perform the following step:


<ol>

<li>
If secure is <strong>true</strong>, and the TLS handshake performed
in step 5 results in TLS-protection which is is <a data-link-type="dfn" href="#deprecated-tls_protection">deprecated</a>,
then the client MUST
<a href="http://tools.ietf.org/html/rfc6455#section-7.1.7">Fail the
WebSocket Connection</a> and abort the connection <a data-biblio-type="normative" data-link-type="biblio" href="#biblio-rfc6455" title="RFC6455">[RFC6455]</a>.
then the client MUST <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6455#section-7.1.7">fail the WebSocket connection</a> and abort
the connection <a data-biblio-type="normative" data-link-type="biblio" href="#biblio-rfc6455" title="RFC6455">[RFC6455]</a>.
</li>


@@ -1321,6 +1334,15 @@ <h2 class="heading settled" data-level="6" id="websockets-integration"><span cla


</ul>


<p class="note" role="note">Note: These changes together mean that we’ll no longer throw a
<code>SecurityError</code> exception directly upon constructing a WebSocket
object, but will instead rely upon blocking the connection and triggering the
<a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6455#section-7.1.7">fail the WebSocket connection</a> algorithm, which developers can catch by
hooking a <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/websockets/#the-websocket-interface">WebSocket</a></code> object’s <code class="idl"><a data-link-for="WebSocket" data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/websockets/#handler-websocket-onerror">onerror</a></code> handler. This is
consistent with the behavior of <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/XMLHttpRequest/#interface-xmlhttprequest">XMLHttpRequest</a></code>, <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/eventsource/#the-eventsource-interface">EventSource</a></code>, and
<code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455https://fetch.spec.whatwg.org/#dom-global-fetch">Fetch</a></code>.</p>
</section>


@@ -1339,7 +1361,7 @@ <h3 class="heading settled" data-level="7.1" id="requirements-forms"><span class
<p>If <a data-section="" href="#categorize-settings-object">§5.1
Does settings object restrict mixed content?
</a> returns <code>Restricts Mixed
Content</code> when applied to a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/#incumbent-settings-object" title="incumbent settings object">incumbent settings
Content</code> when applied to a <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/#incumbent-settings-object" title="incumbent settings object">incumbent settings
object</a>, then a user agent MAY choose to warn users of the presence of
one or more <a data-link-type="element" href="https://html.spec.whatwg.org/#the-form-element">form</a> elements with <a data-link-type="element-attr" href="https://html.spec.whatwg.org/#attr-fs-action">action</a>
attributes whose values are <a data-link-type="dfn" href="#insecure-url">insecure URLs</a>.</p>
@@ -1352,7 +1374,7 @@ <h3 class="heading settled" data-level="7.1" id="requirements-forms"><span class



<p>Further, a user agent MAY treat form submissions from such a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code>
<p>Further, a user agent MAY treat form submissions from such a <code class="idl"><a data-link-type="idl" href="https://tools.ietf.org/html/rfc6455http://www.w3.org/TR/html5/dom.html#document">Document</a></code>
as a request for <a data-link-type="dfn" href="#blockable-content">blockable content</a>, even if the submission occurs in
the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/#top-level-browsing-context">top-level browsing context</a>.</p>

Oops, something went wrong.

0 comments on commit f2730ad

Please sign in to comment.
You can’t perform that action at this time.