Re: [hybi] "Establish a WebSocket Connection" does not allow for cookies

Anne van Kesteren <annevk@annevk.nl> Mon, 14 March 2016 08:29 UTC

Return-Path: <annevk@annevk.nl>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6D2412DA4C for <hybi@ietfa.amsl.com>; Mon, 14 Mar 2016 01:29:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.373
X-Spam-Level:
X-Spam-Status: No, score=-1.373 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=annevk.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWK8JCYxu5yO for <hybi@ietfa.amsl.com>; Mon, 14 Mar 2016 01:29:03 -0700 (PDT)
Received: from homiemail-a61.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) by ietfa.amsl.com (Postfix) with ESMTP id 7864212D8ED for <hybi@ietf.org>; Mon, 14 Mar 2016 01:29:03 -0700 (PDT)
Received: from homiemail-a61.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTP id 1CD32578077 for <hybi@ietf.org>; Mon, 14 Mar 2016 01:29:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=annevk.nl; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; s=annevk.nl; bh=Cz9sVNtBMZ83IfcSCOZBr6h3oeQ=; b=qb IYTldK3C76QQgdxy0OC54VXtOElmPbAn/qm90M4OOcoU7Sh1mMtqjXUBEmzl6nNM vS1kO4Am6zEME/B/2z16qkJfxu/foNIeH/QQZpN51VUc09m5/g4hmRthBgTYkaK2 LVD9y+4v4AjqWUTKREL5aOu6l2emb+cPQYjds+nZw=
Received: from mail-yw0-f172.google.com (mail-yw0-f172.google.com [209.85.161.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: annevk@annevk.nl) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTPSA id 0BAC4578059 for <hybi@ietf.org>; Mon, 14 Mar 2016 01:29:03 -0700 (PDT)
Received: by mail-yw0-f172.google.com with SMTP id d65so158515129ywb.0 for <hybi@ietf.org>; Mon, 14 Mar 2016 01:29:03 -0700 (PDT)
X-Gm-Message-State: AD7BkJIvPqfrf7q+7hxo8Nr1YvwjuUm32Ps7EOvipBLYusP6d+vJH46xt1K+eESqMWxu7VpmXV0FEIt+nXz4mA==
MIME-Version: 1.0
X-Received: by 10.13.217.77 with SMTP id b74mr1912364ywe.73.1457944142238; Mon, 14 Mar 2016 01:29:02 -0700 (PDT)
Received: by 10.37.50.78 with HTTP; Mon, 14 Mar 2016 01:29:02 -0700 (PDT)
In-Reply-To: <2B9B48179856DC4FA00C93C79EB7E64A0E965F03@ESESSMB109.ericsson.se>
References: <CADnb78iWYqqG1t+bYRtMvFifJru06JXb0=KQgfunRrXt-+8E8w@mail.gmail.com> <55EB2FBF.4080602@gmx.de> <CADnb78hy8zG_PuOY9X0wtyJLqOH=D8BHyTnqjgwXtze3UmG9ZA@mail.gmail.com> <2B9B48179856DC4FA00C93C79EB7E64A0E965F03@ESESSMB109.ericsson.se>
Date: Mon, 14 Mar 2016 09:29:02 +0100
X-Gmail-Original-Message-ID: <CADnb78hjCgkLc9DjMep_at=U21nkchJYQWBevEfYW0C8y9-vAw@mail.gmail.com>
Message-ID: <CADnb78hjCgkLc9DjMep_at=U21nkchJYQWBevEfYW0C8y9-vAw@mail.gmail.com>
From: Anne van Kesteren <annevk@annevk.nl>
To: Salvatore Loreto <salvatore.loreto@ericsson.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/hybi/2OIyLSs5JjDfiFB_I_HGoSinsqc>
Cc: Julian Reschke <julian.reschke@gmx.de>, "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] "Establish a WebSocket Connection" does not allow for cookies
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hybi/>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2016 08:29:04 -0000

On Thu, Sep 17, 2015 at 2:54 PM, Salvatore Loreto
<salvatore.loreto@ericsson.com> wrote:
> Not completely sure, but maybe we can worn on an Errata to clarify this

FWIW, since the group was closed, and this didn't get addressed, I
didn't really anticipate similar issues to get addressed either. So
for now we have this patch of the WebSocket protocol in Fetch that
ensures any security features that the browser gets for fetching
resources, also get applied to the WebSocket client handshake (e.g.,
the upgrade insecure requests feature and port blocking).

And the WebSocket API simply references that algorithm:

https://fetch.spec.whatwg.org/#websocket-protocol
https://html.spec.whatwg.org/multipage/comms.html#dom-websocket

In the course of doing this we also found that the WebSocket API
didn't allow for extensions, while all browsers implement one, so we
have opened

https://github.com/whatwg/html/issues/852

to address that and I hope to get to it soonish. Likely today.


-- 
https://annevankesteren.nl/