[html5] r7175 - [e] (0) Clarify what codes are exposed in case of error, since this text was mys [...]

whatwg at whatwg.org whatwg at whatwg.org
Wed Jul 11 16:09:37 PDT 2012 

Author: ianh
Date: 2012-07-11 16:09:36 -0700 (Wed, 11 Jul 2012)
New Revision: 7175

Modified:
   complete.html
   index
   source
Log:
[e] (0) Clarify what codes are exposed in case of error, since this text was mysteriously removed from the RFC at some point.
Affected topics: HTML, WebSocket API

Modified: complete.html
===================================================================
--- complete.html	2012-07-10 21:58:16 UTC (rev 7174)
+++ complete.html	2012-07-11 23:09:36 UTC (rev 7175)
@@ -240,7 +240,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard — Last Updated 10 July 2012</h2>
+    <h2 class="no-num no-toc">Living Standard — Last Updated 11 July 2012</h2>
    </hgroup><dl><dt><strong>Web developer edition:</strong></dt>
     <dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
     <dt>Multiple-page version:</dt>
@@ -83090,7 +83090,47 @@
    <a href=#decoded-as-utf-8,-with-error-handling>decoded as UTF-8, with error handling</a>, and dispatch
    the event at the <code><a href=#websocket>WebSocket</a></code> object. <a href=#refsWSP>[WSP]</a></li>
 
-  </ol><p>The <a href=#task-source>task source</a> for all <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue a
+  </ol><div class=warning>
+
+   <p>User agents must not convey any failure information to scripts
+   in a way that would allow a script to distinguish the following
+   situations:</p>
+
+   <ul><li>A server whose host name could not be resolved.
+
+    <li>A server to which packets could not successfully be routed.
+
+    <li>A server that refused the connection on the specified port.
+
+    <li>A server that failed to correctly perform a TLS handshake
+    (e.g., the server certificate can't be verified).
+
+    <li>A server that did not complete the opening handshake (e.g.
+    because it was not a WebSocket server).
+
+    <li>A WebSocket server that sent a correct opening handshake, but
+    that specified options that caused the client to drop the
+    connection (e.g. the server specified a subprotocol that the
+    client did not offer).
+
+    <li>A WebSocket server that abruptly closed the connection after
+    successfully completing the opening handshake.
+
+   </ul><p>In all of these cases, the <i><a href=#the-websocket-connection-close-code>the WebSocket connection close
+   code</a></i> would be 1006, as required by the WebSocket Protocol
+   specification. <a href=#refsWSP>[WSP]</a></p>
+
+   <p>Allowing a script to distinguish these cases would allow a
+   script to probe the user's local network in preparation for an
+   attack.</p>
+
+   <p class=note>In particular, this means the code 1015 is not used
+   by the user agent (unless the server erroneously uses it in its
+   close frame, of course).</p>
+
+  </div>
+
+  <hr><p>The <a href=#task-source>task source</a> for all <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue a
   task">queued</a> in this section is the <dfn id=websocket-task-source>WebSocket task
   source</dfn>.</p>
 
@@ -103578,6 +103618,7 @@
   James Robinson,
   Jamie Lokier,
   Jan-Klaas Kollhof,
+  Jason Duell,
   Jason Kersey,
   Jason Lustig,
   Jason White,

Modified: index
===================================================================
--- index	2012-07-10 21:58:16 UTC (rev 7174)
+++ index	2012-07-11 23:09:36 UTC (rev 7175)
@@ -240,7 +240,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard — Last Updated 10 July 2012</h2>
+    <h2 class="no-num no-toc">Living Standard — Last Updated 11 July 2012</h2>
    </hgroup><dl><dt><strong>Web developer edition:</strong></dt>
     <dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
     <dt>Multiple-page version:</dt>
@@ -83090,7 +83090,47 @@
    <a href=#decoded-as-utf-8,-with-error-handling>decoded as UTF-8, with error handling</a>, and dispatch
    the event at the <code><a href=#websocket>WebSocket</a></code> object. <a href=#refsWSP>[WSP]</a></li>
 
-  </ol><p>The <a href=#task-source>task source</a> for all <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue a
+  </ol><div class=warning>
+
+   <p>User agents must not convey any failure information to scripts
+   in a way that would allow a script to distinguish the following
+   situations:</p>
+
+   <ul><li>A server whose host name could not be resolved.
+
+    <li>A server to which packets could not successfully be routed.
+
+    <li>A server that refused the connection on the specified port.
+
+    <li>A server that failed to correctly perform a TLS handshake
+    (e.g., the server certificate can't be verified).
+
+    <li>A server that did not complete the opening handshake (e.g.
+    because it was not a WebSocket server).
+
+    <li>A WebSocket server that sent a correct opening handshake, but
+    that specified options that caused the client to drop the
+    connection (e.g. the server specified a subprotocol that the
+    client did not offer).
+
+    <li>A WebSocket server that abruptly closed the connection after
+    successfully completing the opening handshake.
+
+   </ul><p>In all of these cases, the <i><a href=#the-websocket-connection-close-code>the WebSocket connection close
+   code</a></i> would be 1006, as required by the WebSocket Protocol
+   specification. <a href=#refsWSP>[WSP]</a></p>
+
+   <p>Allowing a script to distinguish these cases would allow a
+   script to probe the user's local network in preparation for an
+   attack.</p>
+
+   <p class=note>In particular, this means the code 1015 is not used
+   by the user agent (unless the server erroneously uses it in its
+   close frame, of course).</p>
+
+  </div>
+
+  <hr><p>The <a href=#task-source>task source</a> for all <a href=#concept-task title=concept-task>tasks</a> <a href=#queue-a-task title="queue a
   task">queued</a> in this section is the <dfn id=websocket-task-source>WebSocket task
   source</dfn>.</p>
 
@@ -103578,6 +103618,7 @@
   James Robinson,
   Jamie Lokier,
   Jan-Klaas Kollhof,
+  Jason Duell,
   Jason Kersey,
   Jason Lustig,
   Jason White,

Modified: source
===================================================================
--- source	2012-07-10 21:58:16 UTC (rev 7174)
+++ source	2012-07-11 23:09:36 UTC (rev 7175)
@@ -96632,6 +96632,52 @@
 
   </ol>
 
+  <div class="warning">
+
+   <p>User agents must not convey any failure information to scripts
+   in a way that would allow a script to distinguish the following
+   situations:</p>
+
+   <ul>
+
+    <li>A server whose host name could not be resolved.
+
+    <li>A server to which packets could not successfully be routed.
+
+    <li>A server that refused the connection on the specified port.
+
+    <li>A server that failed to correctly perform a TLS handshake
+    (e.g., the server certificate can't be verified).
+
+    <li>A server that did not complete the opening handshake (e.g.
+    because it was not a WebSocket server).
+
+    <li>A WebSocket server that sent a correct opening handshake, but
+    that specified options that caused the client to drop the
+    connection (e.g. the server specified a subprotocol that the
+    client did not offer).
+
+    <li>A WebSocket server that abruptly closed the connection after
+    successfully completing the opening handshake.
+
+   </ul>
+
+   <p>In all of these cases, the <i>the WebSocket connection close
+   code</i> would be 1006, as required by the WebSocket Protocol
+   specification. <a href="#refsWSP">[WSP]</a></p>
+
+   <p>Allowing a script to distinguish these cases would allow a
+   script to probe the user's local network in preparation for an
+   attack.</p>
+
+   <p class="note">In particular, this means the code 1015 is not used
+   by the user agent (unless the server erroneously uses it in its
+   close frame, of course).</p>
+
+  </div>
+
+  <hr>
+
   <p>The <span>task source</span> for all <span
   title="concept-task">tasks</span> <span title="queue a
   task">queued</span> in this section is the <dfn>WebSocket task
@@ -121520,6 +121566,7 @@
   James Robinson,
   Jamie Lokier,
   Jan-Klaas Kollhof,
+  Jason Duell,
   Jason Kersey,
   Jason Lustig,
   Jason White,

More information about the Commit-Watchers mailing list