Re: [hybi] Masking of Control Frames that have a zero length payload.

"Arman Djusupov" <> Wed, 22 June 2011 09:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BB15011E8098 for <>; Wed, 22 Jun 2011 02:21:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hdM2jYbSdMoq for <>; Wed, 22 Jun 2011 02:21:07 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 65BC611E807F for <>; Wed, 22 Jun 2011 02:21:05 -0700 (PDT)
Received: from ArmanLaptop by (IceWarp 9.4.1) with ASMTP (SSL) id FPR34503; Wed, 22 Jun 2011 12:21:03 +0300
From: "Arman Djusupov" <>
To: "'John Tamplin'" <>, "'Len Holgate'" <>
References: <018501cc30b5$1939e460$0a00a8c0@Venus> <>
In-Reply-To: <>
Date: Wed, 22 Jun 2011 12:19:58 +0300
Message-ID: <004301cc30bd$93215850$b96408f0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQH+vxgWi2wQnl1x7vFTwQEstOhfWAJj77mmlFDcQQA=
Content-Language: en-us
Subject: Re: [hybi] Masking of Control Frames that have a zero length payload.
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Jun 2011 09:21:07 -0000

> IMHO, the utility of a zero-length frame seems low enough that it doesn't warrant adding a special case to leave off the mask if the payload length is zero.

In practice 0 length frames do appear quite often as terminal frames of messages when data is streamed from a source of unknown length. I see this happening when my implementation sends the output of an object serializer that flushes the stream and then suddenly closes it. If the message stream is closed when it doesn’t have any data buffered, there is no other option but to send the 0 length terminal frame for this message. Control frames are of course another case when the frame might contain no data.

However, I think that adding the mask to ALL frames uniformly is not a bad idea. It’s not a huge waste of bandwidth and does not cause any significant overhead, at the same time the random mask attached to the frame header increases the unpredictability of the payload which eliminates the remote chance that an attacker could produce some attack sequence by playing with opcodes and reserved flags when the API would permit using them (highly unlikely though). In any case, I do like the simplicity – “ALL frames are masked and end of story”, the fewer IF ELSE in the spec the better.

With best regards,