Re: [hybi] Concerns about Origin
Zhong Yu <zhong.j.yu@gmail.com> Mon, 22 November 2010 18:57 UTC
Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5507628C114 for <hybi@core3.amsl.com>; Mon, 22 Nov 2010 10:57:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.411
X-Spam-Level:
X-Spam-Status: No, score=-2.411 tagged_above=-999 required=5 tests=[AWL=0.188, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mT9FFO88OKag for <hybi@core3.amsl.com>; Mon, 22 Nov 2010 10:57:19 -0800 (PST)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 9695D3A6AF2 for <hybi@ietf.org>; Mon, 22 Nov 2010 10:57:19 -0800 (PST)
Received: by pvc21 with SMTP id 21so1976355pvc.31 for <hybi@ietf.org>; Mon, 22 Nov 2010 10:58:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=LYsYOlVpT8GHhsQ7lr4yFjU+iFBZ+udpbR5n+Qi1mgQ=; b=mNh/1QjEesahY+sNDb/P6+UqazdaPW/y8HgkEw0suztBiDY8Hmy51VkBTvd0zXyyf0 vQHpwAvdSajgZG4dmo4qZBgqGOPXiq5vK+eu1ib7JHzyHirrk0arYeiFHcG4vNShouNe VMMn3oedshNmYRtCf6+OrEXevdSdMAfj8tIMI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=dd0+8RQ7Sk9Ro0oGEKw+Xn4B01+SDs/xw5CgZROYvhgih6Hw+/6hYH9tfiVta9Nz8f U9iB1zoKZKImRKrQDxGU8KXiqCjBpk+wpsejtUCVFhBfuvAvgAeZmWhfwdiFAgfqaE0a Kd9aPCc5ek9N+tziDPrYXyUMdmd64DAizGhMs=
MIME-Version: 1.0
Received: by 10.229.220.11 with SMTP id hw11mr5407175qcb.64.1290452295279; Mon, 22 Nov 2010 10:58:15 -0800 (PST)
Received: by 10.220.189.136 with HTTP; Mon, 22 Nov 2010 10:58:15 -0800 (PST)
In-Reply-To: <AANLkTi=qKiqcKPf3hcOzD5QfWvU-6ncfhMO6hwyV9sxM@mail.gmail.com>
References: <op.vmkpgllmidj3kv@simon-pieterss-macbook.local> <AANLkTi=hVXa1yFbLr-pRS25gA2F__X3bM9w08O99my6s@mail.gmail.com> <op.vmky62ixidj3kv@dhcp-190.linkoping.osa> <AANLkTi=qKiqcKPf3hcOzD5QfWvU-6ncfhMO6hwyV9sxM@mail.gmail.com>
Date: Mon, 22 Nov 2010 12:58:15 -0600
Message-ID: <AANLkTi=mgs6Jr1kLmeiha_hBHOEYMzonZC9Y-xa1_te9@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: John Tamplin <jat@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Concerns about Origin
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2010 18:57:20 -0000
On Mon, Nov 22, 2010 at 10:58 AM, John Tamplin <jat@google.com> wrote: > On Mon, Nov 22, 2010 at 11:38 AM, Simon Pieters <simonp@opera.com> wrote: >>> APIs for server apps should have a hook to the handshake event, so >>> that apps can participate in the handshake. Apps have an opportunity >>> here to check Origin, set cookies, etc. per connection. >> >> pywebsocket allows apps to do extra checks in the handshake, but I'd like to >> take a step further and make the origin choice a required step for the app >> writer. > > I would prefer the default behavior of the server to be that the > origin has to match exactly, > but that the app can override it, or when > the app is registered with the server it gives a list of acceptable > Origins. It's common that an application is deployed to different hosts at different times: developer's PC, test server, beta server, production server... The set of acceptable Origins are not fixed; rather it can be better described as { Origin="Host in request" } Anyways, the list of allowed Origin is not the concern of WS spec. I wish the spec could be more serious about the matter and mandate the server to match Origin against its list. - Zhong Yu
- Re: [hybi] Concerns about Origin Zhong Yu
- Re: [hybi] Concerns about Origin Simon Pieters
- [hybi] Concerns about Origin Simon Pieters
- Re: [hybi] Concerns about Origin John Tamplin
- Re: [hybi] Concerns about Origin Zhong Yu
- Re: [hybi] Concerns about Origin Zhong Yu
- Re: [hybi] Concerns about Origin Simon Pieters
- Re: [hybi] Concerns about Origin Simon Pieters
- Re: [hybi] Concerns about Origin Sylvain Hellegouarch