IETF Logo Mail Archive

Re: [hybi] WebSocket feedback

Greg Wilkins <gregw@webtide.com> Thu, 04 March 2010 17:20 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8DB03A8D93 for <hybi@core3.amsl.com>; Thu, 4 Mar 2010 09:20:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Level:
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ITX-+TVdMeLI for <hybi@core3.amsl.com>; Thu, 4 Mar 2010 09:20:57 -0800 (PST)
Received: from mail-fx0-f213.google.com (mail-fx0-f213.google.com [209.85.220.213]) by core3.amsl.com (Postfix) with ESMTP id B28123A8B85 for <hybi@ietf.org>; Thu, 4 Mar 2010 09:20:56 -0800 (PST)
Received: by fxm5 with SMTP id 5so3069983fxm.29 for <hybi@ietf.org>; Thu, 04 Mar 2010 09:20:53 -0800 (PST)
Received: by 10.223.60.138 with SMTP id p10mr256227fah.32.1267723253399; Thu, 04 Mar 2010 09:20:53 -0800 (PST)
Received: from [192.168.0.100] (host116-234-static.43-88-b.business.telecomitalia.it [88.43.234.116]) by mx.google.com with ESMTPS id 15sm540989fxm.0.2010.03.04.09.20.51 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 04 Mar 2010 09:20:52 -0800 (PST)
Message-ID: <4B8FEBEE.5040702@webtide.com>
Date: Thu, 04 Mar 2010 18:20:46 +0100
From: Greg Wilkins <gregw@webtide.com>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: Hybi <hybi@ietf.org>
References: <8B0A9FCBB9832F43971E38010638454F032E566DDF@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1002150605580.29686@ps20323.dreamhostps.com> <4B8F6056.8060809@webtide.com> <CE4EF44A-6C8F-43BC-ABF4-777C1149A16F@d2dx.com> <4B8F72FA.2050908@webtide.com> <4B8F7399.40208@webtide.com> <3212A766-9009-4DD6-BA63-53CCF4E98E5D@d2dx.com> <4B8FD541.7060301@webtide.com> <3B402915-D56C-4CFD-8ED2-122BE4FBBBA3@d2dx.com>
In-Reply-To: <3B402915-D56C-4CFD-8ED2-122BE4FBBBA3@d2dx.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [hybi] WebSocket feedback
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2010 17:21:00 -0000

Vladimir Katardjiev wrote:

> I don't think it's an attack vector anymore. Originally, it was to 
> prevent XHR/CORS from creating a WebSocket connection, but the
> requirements on Sec-* headers should avert that. Right now it has
> more to do with having a websocket connection fail early in case
> of an intermediary that doesn't understand websockets.

I think there are plenty of intermediaries that don't
understand websocket that will pass these bytes on well enough
for the handshake to pass.

Problems with transparent intermediaries that don't understand
websocket are more likely to manifest themselves on small blocks
of bytes sent independently of a valid HTTP request.

Having a header (with spaces) inserted by the web socket
client that the server needed to echo back, was a solution
to the problem that appear to have pretty good consensus.
I think this latest proposal goes a little too far.

Probably we need to spend some more time getting the
requirements well written and accepted before we can decide
if such complications in the handshake are actually
needed by any agreed requirement.

cheers

v2.23.0 | Report a Bug | By Email