[e] (0) Clarify what codes are exposed in case of error, since this t…

…ext was mysteriously removed from the RFC at some point.

Affected topics: HTML, WebSocket API

git-svn-id: http://svn.whatwg.org/webapps@7175 340c8d12-0b0e-0410-8428-c7bf67bfef74

complete.html

 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 10 July 2012</h2>
+    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 11 July 2012</h2>
    </hgroup><dl><dt><strong>Web developer edition:</strong></dt>
     <dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
     <dt>Multiple-page version:</dt>
    <a href=#decoded-as-utf-8,-with-error-handling>decoded as UTF-8, with error handling</a>, and dispatch
    the event at the <code><a href=#websocket>WebSocket</a></code> object. <a href=#refsWSP>[WSP]</a></li>
 
-  </ol><p>The <a href=#task-source>task source</a> for all <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue a
+  </ol><div class=warning>
+
+   <p>User agents must not convey any failure information to scripts
+   in a way that would allow a script to distinguish the following
+   situations:</p>
+
+   <ul><li>A server whose host name could not be resolved.
+
+    <li>A server to which packets could not successfully be routed.
+
+    <li>A server that refused the connection on the specified port.
+
+    <li>A server that failed to correctly perform a TLS handshake
+    (e.g., the server certificate can't be verified).
+
+    <li>A server that did not complete the opening handshake (e.g.
+    because it was not a WebSocket server).
+
+    <li>A WebSocket server that sent a correct opening handshake, but
+    that specified options that caused the client to drop the
+    connection (e.g. the server specified a subprotocol that the
+    client did not offer).
+
+    <li>A WebSocket server that abruptly closed the connection after
+    successfully completing the opening handshake.
+
+   </ul><p>In all of these cases, the <i><a href=#the-websocket-connection-close-code>the WebSocket connection close
+   code</a></i> would be 1006, as required by the WebSocket Protocol
+   specification. <a href=#refsWSP>[WSP]</a></p>
+
+   <p>Allowing a script to distinguish these cases would allow a
+   script to probe the user's local network in preparation for an
+   attack.</p>
+
+   <p class=note>In particular, this means the code 1015 is not used
+   by the user agent (unless the server erroneously uses it in its
+   close frame, of course).</p>
+
+  </div>
+
+  <hr><p>The <a href=#task-source>task source</a> for all <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue a
   task">queued</a> in this section is the <dfn id=websocket-task-source>WebSocket task
   source</dfn>.</p>
 
   James Robinson,
   Jamie Lokier,
   Jan-Klaas Kollhof,
+  Jason Duell,
   Jason Kersey,
   Jason Lustig,
   Jason White,

index

 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 10 July 2012</h2>
+    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 11 July 2012</h2>
    </hgroup><dl><dt><strong>Web developer edition:</strong></dt>
     <dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
     <dt>Multiple-page version:</dt>
    <a href=#decoded-as-utf-8,-with-error-handling>decoded as UTF-8, with error handling</a>, and dispatch
    the event at the <code><a href=#websocket>WebSocket</a></code> object. <a href=#refsWSP>[WSP]</a></li>
 
-  </ol><p>The <a href=#task-source>task source</a> for all <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue a
+  </ol><div class=warning>
+
+   <p>User agents must not convey any failure information to scripts
+   in a way that would allow a script to distinguish the following
+   situations:</p>
+
+   <ul><li>A server whose host name could not be resolved.
+
+    <li>A server to which packets could not successfully be routed.
+
+    <li>A server that refused the connection on the specified port.
+
+    <li>A server that failed to correctly perform a TLS handshake
+    (e.g., the server certificate can't be verified).
+
+    <li>A server that did not complete the opening handshake (e.g.
+    because it was not a WebSocket server).
+
+    <li>A WebSocket server that sent a correct opening handshake, but
+    that specified options that caused the client to drop the
+    connection (e.g. the server specified a subprotocol that the
+    client did not offer).
+
+    <li>A WebSocket server that abruptly closed the connection after
+    successfully completing the opening handshake.
+
+   </ul><p>In all of these cases, the <i><a href=#the-websocket-connection-close-code>the WebSocket connection close
+   code</a></i> would be 1006, as required by the WebSocket Protocol
+   specification. <a href=#refsWSP>[WSP]</a></p>
+
+   <p>Allowing a script to distinguish these cases would allow a
+   script to probe the user's local network in preparation for an
+   attack.</p>
+
+   <p class=note>In particular, this means the code 1015 is not used
+   by the user agent (unless the server erroneously uses it in its
+   close frame, of course).</p>
+
+  </div>
+
+  <hr><p>The <a href=#task-source>task source</a> for all <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue a
   task">queued</a> in this section is the <dfn id=websocket-task-source>WebSocket task
   source</dfn>.</p>
 
   James Robinson,
   Jamie Lokier,
   Jan-Klaas Kollhof,
+  Jason Duell,
   Jason Kersey,
   Jason Lustig,
   Jason White,

source

 
   </ol>
 
+  <div class="warning">
+
+   <p>User agents must not convey any failure information to scripts
+   in a way that would allow a script to distinguish the following
+   situations:</p>
+
+   <ul>
+
+    <li>A server whose host name could not be resolved.
+
+    <li>A server to which packets could not successfully be routed.
+
+    <li>A server that refused the connection on the specified port.
+
+    <li>A server that failed to correctly perform a TLS handshake
+    (e.g., the server certificate can't be verified).
+
+    <li>A server that did not complete the opening handshake (e.g.
+    because it was not a WebSocket server).
+
+    <li>A WebSocket server that sent a correct opening handshake, but
+    that specified options that caused the client to drop the
+    connection (e.g. the server specified a subprotocol that the
+    client did not offer).
+
+    <li>A WebSocket server that abruptly closed the connection after
+    successfully completing the opening handshake.
+
+   </ul>
+
+   <p>In all of these cases, the <i>the WebSocket connection close
+   code</i> would be 1006, as required by the WebSocket Protocol
+   specification. <a href="#refsWSP">[WSP]</a></p>
+
+   <p>Allowing a script to distinguish these cases would allow a
+   script to probe the user's local network in preparation for an
+   attack.</p>
+
+   <p class="note">In particular, this means the code 1015 is not used
+   by the user agent (unless the server erroneously uses it in its
+   close frame, of course).</p>
+
+  </div>
+
+  <hr>
+
   <p>The <span>task source</span> for all <span
   title="concept-task">tasks</span> <span title="queue a
   task">queued</span> in this section is the <dfn>WebSocket task
   James Robinson,
   Jamie Lokier,
   Jan-Klaas Kollhof,
+  Jason Duell,
   Jason Kersey,
   Jason Lustig,
   Jason White,