[hybi] WebSockets feedback

[Ian Hickson <ian@hixie.ch>]

This e-mail has replies to various e-mails sent to the list in the past 
few weeks that I had put aside to reply to. The changes referenced in this 
e-mail are just to the editor's working copy (and the WHATWG copy) of the 
Web Sockets draft, and are not an attempt at making any proposals for 
working group consensus at this time. There's nothing especially important 
in this e-mail, it's mostly just discusson of goals and priorities and 
some minor (mostly editorial) changes to the draft.


On Thu, 4 Mar 2010, Greg Wilkins wrote:
> 
> I hope that this type of mass update is a once off due to the 
> circumstances we find in starting off the WG.

I am open to whatever working style people prefer; in the past people have 
indicated to me that they much prefer when I do bulk replies so they can 
get up to date on all the issues at once rather than having me post 
separate messages to each thread (which has been described as "spamming" 
the group).


> In general I think it would be far easier handle changes in smaller 
> increments and individual threads. Also it would be good to see proposed 
> diffs to the draft before they are actually just put in the draft.  

The changes are available in diff form from the HTML5 Revision Tracker:

   http://html5.org/tools/web-apps-tracker

The source document is in Subversion if you want specific versions:

   http://svn.whatwg.org/webapps/source

When it comes to editing the group's document I'm happy to work in 
whatever way is preferred by the chairs.


> If the handshake messages are to contain content, then they MUST have 
> headers to indicate the content length to be legal HTTP: in this case, a 
> Content-Length header would be appropriate

The idea here is that the 8 random bytes are part of the post-Upgrade Web 
Socket connection, not the GET request, so that any intermediaries will 
fail to send the data along if they do any interpretation, thus failing 
early. If we included them in the Content-Length then unfortunately the 
early failure mode of intermediaries would be lost.


> Considering that we are already shipping products with websocket 
> implementations from the existing draft, can we specify a transition to 
> the new handshake in an appendix.

I'm not sure what you mean; these are all highly immature drafts, I 
wouldn't expect anyone using any of them to expect them to be in any way 
reliable.


> Ie while the standard is under development connections without
> websocket keys MAY be accepted, but implementation SHOULD warn
> that support for such connections is deprecated.

While the standard is under development, any connections are going to be 
purely experimental, so it doesn't seem especially important to have 
conformance criteria specifically for them.


> The text of 1.3, still kind of implies that the HTTP fields must be 
> ordered as per the spec.  Can we add a sentence to say that header 
> ordering may be different.

Quite early in that section it says:

   Fields in the handshake are sent by the client in a random order; the
   order is not meaningful.


> Also I'm not sure this sentence is really that clear:
> 
>  "Additional fields are used to select options in the WebSocket
>    protocol.  The only option available in this version is the
>    subprotocol selector, |Sec-WebSocket-Protocol|:"
> 
> I thought we were going to allow arbitrary extra headers, but that their 
> interpretation was not defined by the ws spec other than the optional 
> Sec-WebSocket-Protocol.  We still need to allow headers for cookies, 
> authentication etc.

Well obviously we wouldn't want to allow arbitrary proprietary fields, 
since, by definition, those would be proprietary and thus not 
interoperable. The only legitimate use case I can think of for such 
extensions would be experimentation, but we don't need those to be 
conforming since experimentation is by its very nature done in controlled 
environments and not expected to interoperate.

I've added "Cookie" to the list, though. As you say, that one is relevant 
in this version.


On Fri, 5 Mar 2010, Thomson, Martin wrote:
> >
> > For this reason, and because it is generally much easier, 
> > sentinel-based framing is used for text frames.
> 
> A lot of accommodation has been made for this mythical brain-dead 
> programmer.

As any Web browser vendor can tell you, he's not so mythical. The antics 
of such authors are so common that the term "tag soup" was coined to 
describe how such authors manhandled HTML.


> Build an "idiot-proof" system and you'll just breed a more 
> virulent strain of idiot.

I don't think anyone is arguing that the proposal is idiot-proof; only 
that amateurs are an important consideration.


> And, as Greg continues to point out, easier is subjective.  For some 
> value of easier, you also get injection attacks and other wonderful 
> things.

I agree that it is subjective. That doesn't mean we should ignore the 
problem, however.


> > From the Web Socket point of view, it shouldn't fail for any size.
> 
> There's a marked difference between "designed for large files" and 
> "suitable for large files".  I personally don't get the use case.  If I 
> want to transfer a large file, it seems obvious to me that indirection 
> is the right solution.  Put a URI in your WS message and let the other 
> end fetch the data.

It's not clear to me what URI you would provide if you are wanting to 
upload (from the client) a 4GB video file, though I agree that it may 
well be wise to use XHR instead of Web Socket to do so.


> One reason you don't want to overload protocol use is that you might 
> give WS traffic a higher priority; file transfers usually get lower 
> priority.  Dumping them all in the same stream leaves you with no way to 
> treat these things separately.

Indeed. That's somewhat academic though since currently there's no way to 
send binary files at all in the API.


> > > > Leading zeros are not disallowed. (There wouldn't be much point 
> > > > disallowing them as far as I can tell.)
> > >
> > > Yes, because multiple representations of the same values has *never* 
> > > caused a security issue.
> > 
> > On the contrary, it's often the source of problems. However, in this 
> > case, I don't really see how it could be. Do you have an attack model 
> > in mind?
> 
> Establishing a covert channel using leading zeroes on each frame might 
> be fun.

Given that you control the client and the server, why would you need such 
a complicated channel? Just use Web Socket.

There's no way to either send or receive these leading zeros from the API 
anyway, so I don't see how you could use this. (If you just wanted to send 
data from a command-line app, you might as well just use raw TCP instead 
of using an obscure part of Web Sockets.)


> Causing a buffer overrun might also be possible.  Assume that an 
> implementation assumes that it can reject a frame when its size gets 
> above a certain threshold.  That implementation supports 10K frames.  A 
> bad implementation incorrectly assumes that the size is never going to 
> take more than two octets, so they only read a few to start:
> 
> Byte[] octets = readSomeOctets();
> Int size = 0;
> for( int i = 0; octets[i] & 0x80 == 0x80; ++i) {
>    size = size << 7 + (octets[i] & 0x7f);
>    if (size > 10000) { throw error; }
> }
> 
> (Yes, that's terrible code.)

Yup. It's not clear to me what you're proposing instead, though. Short of 
just using a fixed-length length field, which I would consider short- 
sighted given the way that network abilities grow over time, I don't see a 
good way to avoid this problem.


> > More importantly, I don't really see what our options are here.
> 
> You can stop insisting that implementers are stupid or lazy.  While 
> there's plenty of evidence to the contrary, there's also evidence that 
> stupid or lazy implementations don't live long enough to thrive.

I see no evidence that the "stupid or lazy" programmers "don't live". 
Quite the contrary, it seems to me that most of the Web is built from 
amateurs -- the long tail is almost all amateurs and I see no reason why 
we should ignore them, especially not just for our convenience.


> If you are assuming that people are idiots, it might be worth pointing 
> out that calling read() on a TCP socket doesn't return an entire frame 
> always.

As the spec is written, such an assumption is harmless, since the spec 
leads an amateur towards reading one byte at a time.


> I've seen code that assumes that one call to read() corresponds to a 
> write() on the other end. When two messages are written close enough 
> together that they get bundled into the same packet, the second message 
> is lost; when a write is too big to fit into the same packet, the tail 
> of that message is lost.
> 
> How far do you want to go?

Pretty much exactly as far as we have gone.


> > I don't see what else we can say with respect to handling DOS or 
> > overflow attacks.
> 
> We can explain how someone might detect such an attack.  We can explain 
> what they might do to mitigate the damage.

I'm happy to add such text; do you have any concrete suggestions?


On Fri, 5 Mar 2010, Greg Wilkins wrote:
> 
> I know you respond to a lot of feedback... but continually merging it to 
> be under a single "Feedback" thread is really not conducive to 
> discussion.  If feels more like you are handing down your decisions from 
> the mountain... and I think contributes somewhat to the excessive heat 
> on this list.

I understand that it may appear that way; as noted, though, other people 
have in fact encouraged me to use this style, so unless I hear otherwise 
from the chairs, I will continue to use this style.


On Fri, 5 Mar 2010, Greg Wilkins wrote:
> > On Wed, 24 Feb 2010, Arman Djusupov wrote:
> >> We currently use 0x81 as the identifier of the first and subsequent 
> >> frames, and 0x80 as the identifier of the last frame. When a message 
> >> is contained in a single then it starts with 0x80.
> >
> > Please don't use frame types that aren't defined yet.
> 
> I thought that a sub protocol was free to use the frame type bytes.

No? What suggests that?


> The frame type byte is defined in the protocol, but with a meaning 
> allocated to only 1 bit - leaving the other 7 available for 
> subprotocols.

Oh good lord, no, the frame type is intended to be reserved for future 
revisions of the protocol. The spec is very precise about what can be 
sent, and currently the only frame types that the spec says a peer can 
send are 0x00 and 0xFF. There'd be no point sending anything else since 
the client implementations would ignore them.

(Some people might want to use a Web Sockets-like protocol, that isn't 
Web Sockets but looks a lot like it, for dedicated client-to-server 
communications unrelated to the Web Socket API. For those, this spec is 
irrelevant, though. They would just write their own spec that happened to 
look a lot like Web Sockets.)


> >> However, I'd be inclined to split the reservation into "reserved for 
> >> future Web Socket revisions and approved extensions" versus "reserved 
> >> for applications to use as they want".
> >
> > Since the API doesn't expose the frame types at all, I don't 
> > understand why any would fall into the second category.
> 
> Ian, I think you are not considering one of the most likely implementors 
> of subprotocols - browsers!
> 
> A subprotocol that provides one or more of: multiplexing, compression, 
> fragmentation, etc would be most useful if implemented transparently 
> below the websocket API by the browsers themselves.
> 
> I certainly do not think that frame bytes should be exposed to the js 
> application, as they are primarily a transport concern and [sic]

I would fully expect us to extend the protocol in the future with more 
features, but that would just be part of the Web Sockets protocol, it 
wouldn't be UA-defined additional frame types.


> > If you're exposing a Web Socket server for non-browser UAs, just make 
> > the client send something in the handshake that opts in to using a 
> > different protocol (that looks very similar to Web Socket, but isn't), 
> > and then this whole spec becomes irrelevant, and you can use whatever 
> > mechanisms you want.
> 
> We don't want an infinite variety of websocket like protocols. One of 
> the huge challenges for websocket is to get the intermediaries and other 
> network appliances to work well with websocket.

People are using BitTorrent, Tor, IMAP, etc, today. Why would future 
non-Web-browser client-side protocols be any different?


> Once that is done, then ideally any subprotocol variation can be 
> transparent to intermediaries and they will not need to be updated as 
> new and interesting uses for websocket are invented.

Well certainly the "infinite variety" of protocols you speak of could look 
enough like Web Socket that that would work, but I really don't think that 
should be a concern for this working group.


> I think this is the acid test of what should be in the base protocol and 
> what should not.  Ie the base protocol should not have any feature that 
> can be subsequently implemented without affecting intermediaries.

Why isn't TCP the base protocol?


> > On Thu, 4 Mar 2010, Dave Cridland wrote:
> >> I'd be happy with, at this point, mere reservation of a range for 
> >> protocol purposes, and leaving a range clear for subprotocol usage.
> >
> > I don't understand how a subprotocol would ever make use of these 
> > frame types. The API doesn't expose them.
> 
> I think it is really important that we all come to an understanding of 
> how subprotocols are going to work.  It's not sufficient to boot a whole 
> bunch of requested features "to be implemented in subprotocols", but 
> then every time somebody proposes how a subprotocol could work they are 
> told that they can't do that because it can't be implemented in the 
> javascript API.

I don't understand what is unclear here. Web Socket exposes a mechanism 
whereby strings of text are sent client to server or server to client. 
Connections are identified by a resource name. Subprotocols therefore have 
that to work with.


> I know you think that application programmers will write absolutely 
> everything except the browser. Well good for you and I wish you well.
> 
> But can you also respect the position that many of us want to continue 
> to stand on the shoulders of giants and reuse software developed by 
> others.
> 
> I think it is entirely reasonable to expect that websocket extensions 
> and subprotocols will be implemented by browsers and server side 
> frameworks and provide a whole range of transport features hidden from 
> the application developer.

Why would that happen separate from this working group?


On Fri, 5 Mar 2010, Greg Wilkins wrote:
> Ian Hickson wrote:
> > The HTTP auth headers aren't currently added to the Web Socket 
> > connection; this was briefly in the spec but was taken out based on 
> > implementor feedback a few months ago.
> 
> I think this is shortsighted and you are disabling an existing 
> authentication mechanism without providing an alternative.
> 
> The upgrade request should be a standard HTTP request and should be able 
> to be authenticated as any other HTTP request.

In practice HTTP requests are authenticated by cookies, which are allowed.


> > On Thu, 4 Mar 2010, Greg Wilkins wrote:
> >> But the problem with this is it assumes success and that a 101 is the 
> >> only possible response.
> > 
> > Why is that a problem?
> 
> I explained the problem in the next paragraph!
> 
> This "solution" will prevent the use of HTTP return status codes. The 
> server will only have the option of sending a 101 or closing the 
> connection.
> 
> Even if you don't accept the example potential uses I've outlined, it 
> strikes me as shortsighted to disable yet another standard mechanism in 
> the name of protecting against some phantom menace.

I don't think that's the reasoning... The reasoning is simply that it 
isn't needed. If you want to use HTTP, the HTTP spec already exists. 
There's no need for Web Sockets to be involved _unless_ you actually 
connect to a Web Socket server. If you're just doing HTTP-to-HTTP, the 
Web Sockets spec is irrelevant.


> >> If the bytes after the request header are sent as request content, 
> >> what attack verctor is opened up?
> > 
> > I think Maciej described the cross-protocol attack in detail last 
> > month, that's probably the best description of the problem I've seen.
> 
> You are misrepresenting this.
> 
> Maciej described an attack vector that is easily addressed simply by 
> having a unique ID in the headers that the server needs to include in 
> the response. If the unique ID is generated by the browser, then it will 
> not even be in existence when any injection attack is formulated and 
> thus we are safe unless the ID is predicable.

The key is protecting against HTTP client to Web Socket server attacks, 
e.g. using XHR to send fake Web Socket requests to the server, that trick 
the server into performing actions that were not requested and that, had 
the client actually been a Web Socket client, would not have been done, 
since the connection would not have been accepted. If the key was only 
sent as a single header, then a simple server-side implementation would 
just match a regexp against the entire request and would easily be tricked 
by header-like text smuggled into the path. By having two Sec-prefixed 
headers, requiring that the headers contain one or more spaces, requiring 
that the server look for a newline to terminate the header, and requiring 
that there be text after the request, it becomes extremely hard to cause a 
client to send everything needed to the server to cause any harm.

(We're only worried about Web browsers doing this because they have the 
user's cookies. Direct connections from an attacker aren't a problem since 
they do not have any ambient authority.)


> The issue the random bytes after the GET request and after the 101 
> response are trying to handle is that of fast fail.  While fast fail is 
> a desirable attribute, there has been no rigorous explanation of how 
> this "solution" achieves that - nor was there any discussion of 
> alternative ways this could be achieved.

It seemed pretty obvious... intermediaries that don't recognise Web Socket 
would consider the eight bytes part of an unrelated request and would thus 
fail to parse them, rather than sending them as part of the first request.


> There has been no evidence or argument presented that this "solution" 
> actually provides fail fast semantics.

Agreed; this is merely hypothetical at this point. Hopefully we will be 
able to test the design before the spec is done.


> Yet this speculative "solution" has been added to the spec at the cost 
> of disabling the possibility of using the established HTTP response.

Not sure what this means.


> There are a significant number of response codes that may be of value in 
> the handshake, either now or in the future. While there may be some 
> problems with using some of them, those issues should be identified and 
> discussed - not wholesale disabling of the possibility to use them.

I don't think anyone is suggesting we change HTTP. If an HTTP server 
receives a request, it is perfectly legitimately allowed to respond using 
HTTP. Same with an HTTP client.


On Fri, 5 Mar 2010, Jamie Lokier wrote:
> Ian Hickson wrote:
> > length measurement wrong without realising it (because of only testing 
> > ASCII, but outputting the string length instead of the byte length). 
> > For this reason, and because it is generally much easier, 
> > sentinel-based framing is used for text frames.
> > 
> > In practice this means that most authors need only implement the 
> > sentinel framing (which is trivial); only more advanced (and thus 
> > competent) authors will need to implement the more complicated 
> > framing.
> 
> What about "UTF-8 text" that incorrectly, but in reality, contains 0xFF 
> bytes?  This can happen in most scripting languages unintentionally, for 
> example a script which reads lines from a file that "should" be in UTF-8 
> (but really contains some 0xff bytes) and sends them as messages, will 
> result in a frame injection error.

Yes, that is indeed a concern. The spec mentions this explicitly actually.


> That's even more likely for, say, reading a directory from a filesystem 
> where UTF-8 is the standard name encoding, and sending those names in a 
> message.  Except... in reality, it's easy for someone to subvert it by 
> putting something non-UTF-8 in there.

Indeed, if there's any non-Web Socket way of getting data into the app, it 
may be possible to get an invalid 0xFF in.


> > On Thu, 18 Feb 2010, Jamie Lokier wrote:
> > > But that ignores something: An endpoint shouldn't be sending frame 
> > > types that the other end doesn't know about.  So there is no need to 
> > > specify how to discard binary frames, unless there is a general 
> > > principle of discarding frames with unknown type byte too.
> > 
> > There _is_ a general principle of discarding frames with unknown type 
> > bytes.
> > 
> > We need to make sure that today's clients don't handle tomorrow's 
> > servers in unpredicatable ways, because if they do, then we might 
> > never be able to upgrade the protocol, due to Web pages depending on 
> > particular behaviours, the same way that, for example, many Web pages 
> > depend on browsers doing browser sniffing, or on browsers ignoring 
> > Content-Location headers.
> 
> But that's what the subprotocol negotiation is for.  We should encourage 
> it's use, or spell out the circumstances in which it's useful for an 
> endpoint to speculatively use frame types that the other end might not 
> recognise.

I don't see how subprotocol negotiation would be relevant here.


> > > One thing that *really* needs to be right early on is making sure 
> > > future proxies know the frame boundaries, for efficient forwarding.
> > > 
> > > If the spec didn't describe binary frame delimiting, we could find, 
> > > in a few years, that we'd have no choice but to use UTF-8 for 
> > > everything, even having to encode binary messages into Unicode text, 
> > > simply because some parts of the net would have proxies parsing 
> > > WebSocket frames and failing to forward anything else properly or 
> > > with useful timing/buffering.
> > > 
> > > That's not stated in the spec, but it's an implied consequence of 
> > > the binary frame rule being described that WebSocket-aware proxies 
> > > will probably apply it.  Perhaps it should be explicit.
> > 
> > I don't see why we'd want any client-side proxies other than SOCKS 
> > proxies or HTTP proxies (via CONNECT), and on the server-side it seems 
> > that upgrading dedicated Web Socket-aware proxies would be relatively 
> > easy in this kind of scenario.
> 
> It's not about what you/we want - it's what we'll get *anyway*, because 
> (a) other people will insist on firewalling your WebSocket connections, 
> to make sure you can only send non-pornographic text messages or 
> whatever, and (b) there are significant transport optimisations possible 
> using proxies, so they will be deployed.
> 
> I'm already finding that I have to write a client-side proxy - to merge 
> keepalives from multiple WebSocket conections, and reduce the number of 
> TCPs to a managable level for a slow network.  I anticipate installing 
> it as a site-wide TCP-intercepting proxy.  That's an example of 
> transport optimisation using a proxy - invisible to the actual clients 
> and servers, and they can't avoid it.  By the way, you mentioned 
> "author-friendly" elsewhere as a criterion.  This is very author 
> friendly because the endpoints don't know or care.
> 
> If I'm already looking at this at this early stage, then I won't be the 
> only one doing it when it's widely deployed.

I don't really understand what you're asking for here. Are you suggesting 
we should define a third conformance class in the spec for 
man-in-the-middle proxies? I suppose we could do that. Would it need any 
requirements other than passing through the bytes unchanged?


> If I send the frame length 2^128, so that I can follow it with any 
> amount of binary data (effectively turning the connection into a byte 
> stream), I am sure that some future implementation, perhaps a proxy, 
> will treat it as zero and then break.

Well there's no binary sending or receiving mechanism at all right now, so 
it's not yet clear how it'll work, but I would presume that to send it'll 
merely take a File or Blob object or whatever JS binary type is made, and 
send it, and to receive it'll wait for the whole frame and then create a 
Blob or whatever JS binary type is made, and fire a single event. So you 
wouldn't be able to stream things in a single frame; the API wouldn't 
expose it that way.

(If you're doing that in a non-browser setting, i.e. you've made an API 
that is specifically for non-browser clients, then the Web Sockets spec is 
irrelevant -- you can just make your own protocol that looks as close to 
Web Sockets as you want, and just call it your own protocol. No need to 
worry about the Web Sockets spec.)


> There is also the open question of what buffering and forwarding 
> behaviour is expected, both of proxies, and of receivers.  If I send a 
> large frame incrementally (i.e. by writing bytes), is it permitted to 
> buffer it with unlimited delay until the end of the frame, or must the 
> received bytes be passed on to the application, or the next hop in the 
> case of a proxy?

For the client (using the API), the data is exposed as an event, so 
there's no choice.

For the server, there doesn't seem to be any particular practical 
difference from an interoperability perspective, it's just an 
implementation detail.

For a man-in-the-middle proxy, either behaviour can naturally occur due to 
regular network weather, so I don't think there's much point requiring one 
or the other.


> > On Wed, 24 Feb 2010, Arman Djusupov wrote:
> > > 
> > > I have a use case which doesn't seem to have been taken into account 
> > > in the spec. When large binary messages of initially unknown size 
> > > are getting streamed over a connection, the transport does not know 
> > > the final size of the binary message when it starts serializing it 
> > > and so it cannot encode the message's length at the start of the 
> > > binary frame. In our implementation we handle such cases by 
> > > buffering data until the buffer is full and then flushing it into a 
> > > frame of specific length; subsequent data of the same message are 
> > > sent in the following frames.
> > 
> > Currently there's no way to send binary data with Web Socket at all, 
> > but going forward, when we add binary support, if one of the use cases 
> > is sending binary data of unknown size, we can definitely use a 
> > chunk-based encoding scheme.
> > 
> > Whether it's useful or not depends on what the API for binary data 
> > ends up looking like. If the API only exposes binary data using Blob 
> > objects, then there's not really a reason to avoid requiring that the 
> > server prebuffer all the data ahead of time to determine the length. 
> > If we expose the data using something akin to the Stream object 
> > currently in the HTML spec, then we'd probably want to make it chunks 
> > of fixed (maximum) size. Since the API doesn't have any binary support 
> > at all right now, though, it's probably premature to worry about this.
> 
> What does the API have to do with it?
>
> Arman's question was not about web browsers as far as I can tell.  It 
> was about non-browser clients, using other languages.

The reason for this protocol is to have two-way communication between a 
script in a Web browser and a server. This is exposed through that API.

Now you can of course, once you have defined a subprotocol that uses 
Web Sockets for use between a Web page and a server, also talk to that 
server from a command-line app, but I don't see why we would add features 
to the protocol for that case specifically. If that use case is so 
important, then the server should just provide a dedicated protocol 
specifically for those clients. It could look like Web Sockets, if that is 
easier (though frankly I think Web Sockets makes a pretty awful generic 
mechanism compared to raw TCP), but there's no reason to claim it _is_ 
Web Sockets, and so the Web Sockets spec is irrelevant here. It's 
effectively just a dedicated custom protocol, and can be specified thus.


> > > We currently use 0x81 as the identifier of the first and subsequent 
> > > frames, and 0x80 as the identifier of the last frame. When a message 
> > > is contained in a single then it starts with 0x80.
> > 
> > Please don't use frame types that aren't defined yet. If you are doing 
> > something for use unrelated to the Web Socket API, there's really no 
> > reason not to just use TCP. You can use the same framing as Web 
> > Sockets (though I don't see why, it's not that great for general 
> > purposes), but if you use Web Socket itself, it's just going to cause 
> > problems for you when the API is updated to do binary.
> 
> Are frame types free to use for applications and/or protocol extensions 
> now, or are they reserved for future WebSocket specifications?

They are all reserved for future Web Socket specifications.


> That needs to be made clear, because it's clear people are starting to 
> use them for protocol extensions.

I've updated the spec to make it clear.


> > On Mon, 1 Mar 2010, Dave Cridland wrote:
> > > This behavioural flux, though, is an excellent argument for putting 
> > > keepalive behaviour into the core, as the people designing the 
> > > frameworks are likely to have good ideas of the defaults, and keepalive 
> > > frequencies will need to be controlled per-deployment, typically, rather 
> > > than per-application.
> > 
> > We could reserve a frame byte for control messages (server talking to the 
> > browser rather than to the script), with the null message being put aside 
> > for keep-alive purposes, if people think that would be especially useful. 
> > I presume we would want the server in charge of sending keepalives rather 
> > than the browser or the script?
> 
> Keepalives and timeouts (they go together) are used for three
> equally critical things:
> 
>    - Keeping TCP open over NATs.
> 
>    - Detecting when the connection is broken at the server, so you can
>      clean it up instead of running out of memory and crashing the
>      server after a few days.  (The Tic-Tac-Toe demo has this problem.)
> 
>    - Detecting when the connection is broken at the client, so it
>      can initiated another one.  (Interactive applications need this.)
> 
> To achieve all three, it's necessary to have keepalive messages sent
> from both sides.  It is not enough to send a message from one side,
> and rely on the TCP ACK coming back.  (That'll keep the NAT open, but
> it won't allow both sides to detect broken connection in a reasonable time.)
> 
> This can be done as a "ping" style request+response, or each side can
> transmit independently when it's not transmitted anything for a
> keepalive interval.
> 
> For a given NAT timeout, the "ping" style uses more bandwidth than the
> "independent" style if the client and server's broken-connection
> timeouts are quite different.  This is because you must reduce the
> keepalive interval by more due to the extra jitter from pinging, and
> because it causes a message in both directions resulting in 3 TCP
> packets, when 2 packets would be enough most of the time.
> 
> When the server and client's broken-connection timeout needs are the
> same, then the "ping" style uses less bandwidth than "independent" style.
> 
> Note that applications like, say, Facebook and Gmail would be better
> off with asymmetric broken-connection timeouts and therefore using the
> "independent" style.
> 
> In some applications, keepalive bandwidth is actually the main
> bandwidth consumer, and it gets quite expensive, so minimising it
> is quite desirable.
> 
> What I conclude from this is that each application must be able to
> decide for itself what keepalive strategy it's going to use, and it
> must not be assumed that server-initiated pings are always a good choice.

These cases all sound like the script talking to the server, not the 
browser talking to the server, and thus can just be done by defining such 
mechanisms in the subprotocol. For example, if the protocol is some chat 
protocol, then the subprotocol could be something like:

Client-to-server:
   MSG <buddy-id> text...
   ADD <buddy-id>
   ACCEPT <buddy-id>
   REJECT <buddy-id>
   PING

Server-to-client:
   MSG <buddy-id> text...
   ADD-REQUEST <buddy-id>
   STATE <buddy-id> <state>
   PING

Here, "PING" is the message that would be used as the keepalive.

We should only add things to the core Web Socket protocol if it's 
something that will really apply to all subprotocols. Otherwise, we're 
adding an implementation burden on server-side implementors who don't need 
the feature but still have to deal with it when the client uses it.


> > IMHO, *we are responsible* for helping authors make the right choice 
> > here, even if in some cases that means simply not giving them a 
> > choice.
> 
> So why do you want to push things like message dispatch, flow control, 
> and cooperation between independent components on a page onto the 
> application authors, instead of helping to make the right choices with 
> those technical things?

Because forcing these features on everybody introduces an implementation 
burden on server-side implementors who don't need the features.


> > > However, I'd be inclined to split the reservation into "reserved for 
> > > future WebSocket revisions and approved extensions" versus "reserved 
> > > for applications to use as they want".
> > 
> > Since the API doesn't expose the frame types at all, I don't 
> > understand why any would fall into the second category.
> 
> The API is not relevant: because the discussion here is all about 
> implementations that aren't using the WebSocket API at all.

While I think we should make it possible to use the API from a non-browser 
client, I don't see why such a client would need to use Web Sockets if its 
needs are so involved that the server has dedicated code to handle it that 
is not used by its browser-side clients.

If you are writing dedicated serer code for non-browser clients, then you 
don't need Web Sockets. Just use TCP.


> > If you're exposing a Web Socket server for non-browser UAs, just make 
> > the client send something in the handshake that opts in to using a 
> > different protocol (that looks very similar to Web Socket, but isn't), 
> > and then this whole spec becomes irrelevant, and you can use whatever 
> > mechanisms you want.
> 
> I'm guess the intention is they want to use WebSocket so that, 
> eventually, browsers will be able to speak to the services they've 
> deployed without having to rewrite those services.

That's quite reasonable, but then you don't need use frame types, since 
those frames aren't going to be used by those services.


> And to reuse the inevitable Web Socket client APIs that will appear 
> quite soon for Java, .NET, Python, Perl etc.

Why not use the already existing TCP client APIs?


> Or maybe it's just a herd instinct, using the protocol even though
> it's not well suited to their problem? ;-)

We shouldn't attempt to make the protocol suit problems that are _by 
definition_ not problems for which the protocol is suited. That makes no 
sense.


> > > If the handshake messages are to contain content, then they MUST 
> > > have headers to indicate the content length to be legal HTTP: in 
> > > this case, a Content-Length header would be appropriate
> > 
> > The handshake messages don't contain content. Should I add a 
> > "Content-Length: 0" field to the handshake to make this clearer?
> 
> Definitely not, because something will inevitably parse the following 
> data as the beginning of another HTTP response if you do that.

That's the idea.


> One argument in favour of length-delimiting is that forwarders 
> (including the APIs) don't have to repeatedly examine the data at all to 
> ensure it's integrity, e.g. for things like parsing and inserting 
> transport control messages (you mentioned them earlier).  Sentinals 
> force each component to examine every byte that it passes along, which 
> is a noticable cost under high load - especially for large messages. 
> (Modern OSes and hardware can move data between files and among network 
> ports without the CPU ever loading it into it's cache.)
> 
> That's a practical efficiency thing.  Google people have said that SPDY 
> experiments showed length-delimiting is generally faster too.

In practice I would imagine that anyone with such needs is going to wait 
until Web Sockets supports compression (probably the first thing to be 
added once we have the basic protocol figured out), at which point they'll 
never need to see text frames at all.

Amateur programmers (the ones more likely to just use text frames) aren't 
generally going to have so much traffic that it matters.


> > > Up above, you implied this was rare.
> > 
> > I believe this problem would be less common than the problem of people 
> > misimplementing string measurement, yes.
> 
> I think you're probably right, but I would vote for length-delimiting on 
> efficiency grounds anyway.

I completely agree that if amateur programmers were not a priority here 
that we'd just use length encodings.


> If you wanted to be more secure, it's possible to protect against both
> issues at once: Require a leading byte length *and* 0xff sentinel following.

I don't really see how that would work, unless we made them alternatives, 
but then we'd still have to pick one for the client to use. I'm not sure 
how that would really solve the problem.


> That won't make amateur code magically work with non-ASCII characters, 
> but it will protect better against injection attacks taking advantage of 
> amateur code.

That just seems like it would become the worst of both worlds, with 
complicated error-handling rules for when they didn't match.


> > > > Leading zeros are not disallowed. (There wouldn't be much point 
> > > > disallowing them as far as I can tell.)
> > > 
> > > Yes, because multiple representations of the same values has *never* 
> > > caused a security issue.
> > 
> > On the contrary, it's often the source of problems. However, in this 
> > case, I don't really see how it could be. Do you have an attack model 
> > in mind?
> 
> How about sending a continuous stream of leading zeros, and causing 
> denial of service because the parser author didn't think to empty the 
> input buffer while parsing the number, or uses a quadratic parsing 
> (repeatedly start from the beginning on receiving more input) because 
> they expected the number to be a short byte sequence?

If we're worried about that kind of attack, you could just as easily send 
an infinite handshake. Why is it a problem here but not with the 
handshake?


> Actually I think we should support split-message chunks and then define 
> a fixed maximum chunk size of 2^31-1.  It wouldn't limit message size, 
> only chunk size.  It's much more likely to be treated correctly by real 
> implementations.

Well we don't do binary frames at all yet, but in principle for binary 
files I would agree. For something like just a compressed text frame, I 
think it'd be better to keep it as one frame, as if it had been a text 
frame. That's probably a discussion for once we have the basics pinned 
down, though; the current design doesn't preclude this kind of approach.


> > More importantly, I don't really see what our options are here. We can 
> > certainly ban the client sending leading nulls -- and indeed we have, 
> > since the client isn't allowed to send binary data at all currently, 
> > let alone binary data with leading nulls in the length. But what 
> > should the server do when faced with a buggy or hostile client? If we 
> > don't define how to handle this, but say that servers should expect it 
> > and close the connection if they see it, then it's clear to me that 
> > most implementations would _not_ check for it (that has been my 
> > experience with other languages and protocols -- asking implementors 
> > to check for something for the purposes of failing usually leads to 
> > them ignoring the requirement on the basis that doing something else 
> > is "more reliable"). So that leaves us with the choice the spec has: 
> > define it in a way that is trivial to implement interoperably (it's 
> > just an intrinsic part of handling valid data), and which is 
> > apparently harmless.
> 
> The something else is only "more reliable" if these things ever occur in 
> the wild.  If it's very clear from the start that there are no leading 
> zeros, nothing will need to parse it, and nothing will send it because 

Agreed so far...

> they get rejected when they first write code which does so.

...but not with this. If we don't define how they are handled, as I 
described above, then what happens will vary from implementation to 
implementation. By defining it in the spec we ensure that it will be 
tested when we write the test suite, and thus that servers are at least 
going to be exposed to it if their developers look at the test suite.


> > > So, your defined behaviour in the face of a DOS or overflow attack 
> > > is to, what? Just work?
> > 
> > The spec explicitly that "If the user agent is faced with content that 
> > is too large to be handled appropriately, runs out of resources for 
> > buffering incoming data, or hits an artificial resource limit intended 
> > to avoid resource starvation, then it must fail the WebSocket 
> > connection". It furthermore says that "Servers may close the WebSocket 
> > connection whenever desired". I don't see what else we can say with 
> > respect to handling DOS or overflow attacks.
> 
> I'm concerned about client APIs, server APIs, and network proxies,
> that may pass along data incrementally and have to keep a running
> counter based on the frame length they have parsed (or sent).
> 
> That's how large length-delimited frames are likely to be handled in
> practice inside frameworks.  And WS-parsing proxies must handle any
> legitimate frame sized.
> 
> Both are quite likely to break when presented with a length which
> doesn't fit into 2^32 or 2^64, depending on the variable size they use
> internally.  By not specifying a maximum, I think we're encouraging
> this as a failure point - in the same way that old HTTP agents crashed
> when faced with a Content-Length >= 2^31 - because the authors didn't
> know what was a sensible limit to implement, but practically they had
> to use some fixed size type for it - a "bignum" implementation would
> be ridiculous despite being the only formally correct thing to do.

The server-side developer is also the subprotocol writer, so they do know 
what the limit is, they decide it when designing their protocol.

Bypassing man-in-the-middle proxies entirely by using TLS seems like the 
best solution if your protocol uses frames so big that those proxies are 
going to screw it up.


> That's why I'm thinking that an explicit maximum length of 2^31-1 per 
> chunk, combined with permitting messages composed of multiple chunks 
> (because that's useful for other reasons anyway), is the safest choice 
> coming to mind at the moment.  For the length-delimited frames, that is. 
> Sentinel-delimited frames can already be any length.

Well, right now the only length delimited frame that's allowed has a 
maximum allowed length of zero. But I agree that when we add binary frames 
it might make sense to have some limits.


> Note that this is *different* from running out of resource limits or 
> protecting against starvation, because this is just about counting, so 
> it doesn't come under the section which talks about resource limits - 
> and it shouldn't.

Using a four-byte word for counting and overflowing that count is 
technically a resource limit. :-)


On Thu, 4 Mar 2010, Scott Ferguson wrote:
>
> A strawman for discussion purposes.

I'm not really sure what problem this strawman is intended to address. Can 
you elaborate?


On Fri, 5 Mar 2010, Greg Wilkins wrote:
> 
> I think we need to decide who will be doing the extending and creating 
> new subprotocols.
> 
> Ian appears to be advancing the position that if it can't be done in 
> javascript via the websocket API, then it can't be done.  Moreover, that 
> if you are not doing it in javascript then you shouldn't be using 
> websockets.

That's an oversimplification of my position.

My position is this:

Web browser vendors want to expose to Web page scripts the ability to open 
essentially a TCP connection to arbitrary servers, to replace the 
combination of XHR and the "infinite <iframe>" hack people use today. This 
obviously would have huge security problems, so instead they are willing 
to settle on a compromise: layering over TCP a minimal handshake to 
enforce an "origin"-based security policy with explicit in-band server 
opt-in. In addition, to avoid having to expose stream APIs to scripts, it 
is desired to make the mechanism use packets (frames) rather than exposing 
a stream. There's also a desire to make this use ports 80 or 443 and be 
able to use this mechanism to talk to servers who currently expose HTTP or 
HTTPS on those ports.

Web Sockets is intended to address this use case.

In addition, there is naturally a desire to make it possible for authors 
to use whatever solutions get developed in this space to talk directly to 
dedicated clients as well as talking from scripts, so that servers who do 
not support a dedicated TCP-based protocol but do expose a Web Socket- 
based protocol for their Web page's scripts can still be used from 
dedicated client programs. (This is similar to how JSON APIs intended for 
JavaScript, e.g. the Twitter API, is also usable from native clients.)

Once a server starts writing dedicated code to handle connections from 
dedicated clients, though, there's no need for the origin-based model or 
the frames, and therefore no reason why the server can't just provide a 
dedicated protocol unrelated to Web Sockets.


Now it's quite possible that there is a need for another protocol also, 
one that addresses some native-client-specific needs that I'm not aware 
of. It's also possible that the majority of this working group's members 
are interested in such a protocol, and not in the protocol needed by 
browser vendors as described above. If that is the case, then we should 
work on that protocol, and the browser vendors' needs shouldn't be a 
concern. IMHO it would be a huge mistake to try to take two such unrelated 
use cases and try to address them simultantously in one protocol. It would 
be equivalent to trying to address the use cases that led to IMAP and HTTP 
simultaneously in one protocol.


> Examples that come to mind include:
> 
>   Browser implementing a simple multiplexing standard
>   to make all websockets from the same tab/window share
>   a common connection.
>
>   Browser implementing compression.

Why wouldn't we just build these straight into the Web Socket spec? Surely 
if browsers just implement their own random extensions, it would only be 
for experimentation, since it wouldn't have a chance to interoperate with 
other browsers and servers.


>   Firewalls acting as aggregators and combining
>   multiple base connections into fewer multiplexed
>   connections to the business servers.

Assuming you mean on the server-side, these are just considered part of 
the server from the spec's point of view.


>   Appliances doing SSL offload and converting wss to ws
>   connections with injected certificate information.

Same here.


> I also think that there will be extensions done in javascript by 
> frameworks/applications, but by definition they work above the API and 
> need no more support from the base protocol than the API already 
> provides.

Right. (Not sure what you mean by "extension" here though.)


On Fri, 5 Mar 2010, Salvatore Loreto wrote:
> 
> 1) do we want WebSocket protocol to be an extensible protocol?

Extensible by whom? In what sense? It's clear that we need to make sure 
the protocol can be extended for future versions of the protocol itself, 
in a backwards- and forwards-compatible fashion, and it also seems clear 
that we need to make sure clients and servers can experiment with such 
proposals (not in the wild) to see how they would work. Is that what you 
mean?


On Mon, 8 Mar 2010, Vladimir Katardjiev wrote:
> 
> First, a copy/paste error. Page 31 seems to be missing 
> Sec-WebSocket-Key2.

Oops, that was a bug in my HTML-to-text convertor. Fixed.


> Same page, you probably meant | instead of " in
> 	
> 	(such as |Cookie")

Also a bug in my script! Fixed.


> Also, this might be just my reading comprehension, but the following 
> paragraph caused a double-take
> 
> 	if a server assumes that its clients are authorized
>       on the basis that they can connect [...] then the server
>       should also verify that the client's handshake includes the
>       invariant "Upgrade" and "Connection" parts of the handshake, and
>       should send the server's handshake before changing any user data.
> 
> Checking Upgrade and Connection is redundant if Sec-WebSocket-* are 
> present from a browser PoV;that was the point of them, no?

Yeah, that note is obsolete now. Removed.


> Right, time to graduate from reading comprehension into actual 
> questions. The big addition obviously Sec-WebSocket-Key1/2. Are there 
> any fundamental limitations on where spaces can and should occur in the 
> header? According to my interpretation as it stands, the following 
> string is a perfectly valid key: "  4abcd". Is this intended? And, if 
> so, can the leading (or trailing, if so inclined) spaces cause issues 
> when parsing by proxies/existing stacks?

I shouldn't think so, at least not with any proxies or existing stacks 
that are compatible enough in other ways to not screw up Web Sockets in 
general. However, I'm just guessing here.


> Also, I must've missed the big discussion, but what's the rationale of 
> having two key headers. One I can buy, but since it should already be 
> impossible to create a Sec-* header from a browser, AND it is impossible 
> to add spaces to the header value, AND it is a GET with a body, it's 
> already triple impossible (impossibler? impossiblest?) for XHR/CORS to 
> forge. If someone has a handy link to where this suggestion was born 
> it'd be appreciated, because this seems like quite a bit of computation 
> involved.

I originally had just one header:

  GET /demo HTTP/1.1
  Host: example.com
  Connection: Upgrade
  Sec-WebSocket-Key: 12345
  Sec-WebSocket-Protocol: sample
  Upgrade: WebSocket
  Origin: http://example.com

However, the obvious (and wrong) way to implement this is to read the 
entire header, and then do something like (in this case in Perl):

   $header =~ m/Sec-WebSocket-Key: \(.+\)\r\n/;

...or some such. Now consider this request:

  GET /demo?Sec-WebSocket-Key: HTTP/1.1
  Host: example.com
  ...

The simplest implementation is thus vulnerable to trivial attack.

As defense in depth, I introduced several overlapping solutions to this:

 * There are two keys, both of which have to end in \r. This means you 
   have to find two places to smuggle data into the connection, not just 
   one, and they have to be on different lines.

 * The keys have to include at least one space, and this is verified by 
   requiring the implementation to divide by that count -- if there aren't 
   enough spaces and you didn't check for it, you'll get a divide-by-zero 
   in many languages.

 * Non-numeric characters are stripped, so that the division is definitely 
   done on a number, so that any side-effects of dividing a string or NaN 
   or something like that are avoided in the smuggling case.

 * The client is required to randomly insert the spaces, as well as random 
   non-numeric characters, and is required to randomyl shuffle the 
   headers, so servers can't rely on any one convention, they have to at 
   least do a half-hearted attempt at really parsing the header.

 * The key also involves eight bytes after the handshake, so you have to 
   properly determine the end of the handshake, so things can't be 
   smuggled into the body, even if you otherwise ignore frames from the 
   client.


> The junk characters in the handshake also seem redundant. If you already 
> need to verify the correct number of spaces this means you are checking 
> for spaces already. As for the garbage characters, all they made me do 
> was replace("[^0-9]", '') instead of replace(' ', '') so I'd say they 
> didn't alter the functionality of my code other than take up more CPU 
> cycles.

They're intended to make sure that the behaviour is well-defined even if 
the key header is being smuggled in somewhere. Otherwise, different 
servers might use different ways of handling invalid handshakes, and that 
is likely to lead to some being more vulnerable. Now we can't entirely 
prevent this, obviosuly, but we can at least help it a little here.


> The closing handshake is also interesting. Maybe state in 5.3. that the 
> server shouldn't disconnect on 0xFF (instead of may; it still may, but 
> is discouraged from doing so since it may cause data loss. If the target 
> audience really is the kind of programmer you need to verify their code 
> by actually ensuring they read the spaces, then make the default level 
> of the protocol ensure data integrity, because that's what they'll see 
> in the lab network).

Good point. Fixed.


> Finally, and probably my smallest serious gripe, but what's up with the 
> mix of references to ASCII and UTF-8 as characters. It is all 
> technically correct, to nobody's surprise, but it's distracting to read. 
> I hope it's just a transitional thing and it'll eventually be UTF-8 
> throughout but it was just too boring to do it all at once.

Not sure what you mean.


> Page 20:  EXAMPLE: For example

Yeah, there's a few of these. I'll look into what to do about it. Maybe I 
should indent the examples rather than prefixing them with "EXAMPLE:"?


> Page 22: -> If the byte is 0x3A (ASCII :)
> 
> The internet has damaged me so badly this was a smiley face.

That, I can't help you with. :-)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'