Re: [hybi] Websocket: two protocols into one, and Internet rules broken

[Willy Tarreau <w@1wt.eu>]

On Thu, Jun 16, 2011 at 04:28:24PM +0200, Iñaki Baz Castillo wrote:
> 2011/6/16 Anthony Catel <a.catel@weelya.com>:
> > I mean, it the browser can open a "raw" TCP connection and implement any
> > kind of protocol.
> > This must lead to a prompt "Do you allow your browser to open a connection
> > to xxxx:xxx?" which I think it's not suitable for user experience.
> 
> I never said that a web browser should allow opening any kind of
> communication with a remote server :)
> 
> I just said that, if it's standarized, why not to allow a web browser
> to directly speak other protocols as SIP or XMPP? I don't mean raw
> speaking such protocol from JavaScript or whatever, that should be not
> allowed as per security reasons. I mean that web browsers could
> implement a SIP and/or XMPP client and provide an API (i.e. for
> JavaScript) to use it (the very same as WebSocket proposes). Security
> would be built-in within the browser implementation.
> 
> PS: I don't want web browsers implementing SIP or XMPP, it was just an
> example ;)

Those subjects were discussed to great extent last year. One of the points
was to reuse existing infrastructure (filtering, proxying, load balancing).
Another one was that a protocol relying on existing infrastructure and
policy rules will get faster adoption than one which requires new ports
to be qualified then opened at many places for the protocol to work. Many
of us are used to work at places where only 80 is opened via proxies, 443
is on a white-list and nothing else is allowed. In such environments, XHR
has been working well precisely because it did not require revisiting
established policies.

Regards,
Willy