IETF Logo Mail Archive

Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?

John Fallows <john.fallows@kaazing.com> Mon, 01 February 2010 05:04 UTC

Return-Path: <john.fallows@kaazing.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 882943A6A05 for <hybi@core3.amsl.com>; Sun, 31 Jan 2010 21:04:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.474
X-Spam-Level:
X-Spam-Status: No, score=0.474 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_CHARSET_FARAWAY=2.45]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZgsUpEPpy6j for <hybi@core3.amsl.com>; Sun, 31 Jan 2010 21:04:06 -0800 (PST)
Received: from mail-pz0-f198.google.com (mail-pz0-f198.google.com [209.85.222.198]) by core3.amsl.com (Postfix) with ESMTP id 090113A68BE for <hybi@ietf.org>; Sun, 31 Jan 2010 21:04:05 -0800 (PST)
Received: by pzk36 with SMTP id 36so4750653pzk.5 for <hybi@ietf.org>; Sun, 31 Jan 2010 21:04:28 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.214.28 with SMTP id m28mr2742504wag.227.1265000668292; Sun, 31 Jan 2010 21:04:28 -0800 (PST)
X-Originating-IP: [24.5.91.202]
In-Reply-To: <10CFF7AB-9954-4876-B4D9-4E7C4E040045@apple.com>
References: <de17d48e1001280012i2657b587i83cda30f50013e6b@mail.gmail.com> <4B614CEC.2050400@ericsson.com> <Pine.LNX.4.64.1001280856380.22020@ps20323.dreamhostps.com> <4B616F17.4030402@ericsson.com> <4B619223.60408@webtide.com> <Pine.LNX.4.64.1001282141080.22020@ps20323.dreamhostps.com> <4B620B8F.6030706@gmx.de> <Pine.LNX.4.64.1001282217320.22053@ps20323.dreamhostps.com> <bbeaa26f1001281449q1a6e1813q3f537fe15a5a9d60@mail.gmail.com> <10CFF7AB-9954-4876-B4D9-4E7C4E040045@apple.com>
Date: Sun, 31 Jan 2010 21:04:28 -0800
Message-ID: <c5b3a7131001312104x7c74ae72w73fc4adb66ac4bb0@mail.gmail.com>
From: John Fallows <john.fallows@kaazing.com>
To: Maciej Stachowiak <mjs@apple.com>
Content-Type: multipart/alternative; boundary="0016e64b03d07969c6047e82eb71"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2010 05:04:07 -0000

Agreed.

Kaazing is much more interested in a resolving any outstanding technical
issues with WebSockets rather than the political distractions that seem to
have been hindering real progress.

Regards,
John Fallows

On Thu, Jan 28, 2010 at 2:55 PM, Maciej Stachowiak <mjs@apple.com> wrote:

>
> +1
>
> We at Apple are interested in moving the technology forward, not so much in
> debating the politics. Can we at least keep procedural mattes out of threads
> about technical questions?
>
>  - Maciej
>
> On Jan 28, 2010, at 2:49 PM, Ian Fette (イアンフェッティ) wrote:
>
> So, moving back to the original question... I am very concerned here. A
> relatively straightforward question was asked, with rationale for the
> question. "May/Should WebSocket use HttpOnly cookie while Handshaking?
> I think it would be useful to use HttpOnly cookie on WebSocket so that we
> could authenticate the WebSocket connection by the auth token cookie which
> might be HttpOnly for security reason."
>
> It seems reasonable to assume that Web Sockets will be used in an
> environment where users are authenticated, and that in many cases the Web
> Socket will be established once the user has logged into a page via
> HTTP/HTTPS. It seems furthermore reasonable to assume that a server may
> track the logged-in-ness of the client using a HttpOnly cookie, and that the
> server-side logic to check whether a user is already logged in could easily
> be leveraged for Web Sockets, since it starts as an HTTP connection that
> includes cookies and is then upgraded. It seems like a very straightforward
> thing to say "Yes, it makes sense to send the HttpOnly cookie for Web Socket
> connections".
>
> Instead, we are bogged down in politics.
>
> How are we to move forward on this spec? We have multiple server
> implementations, there are multiple client implementations, if a simple
> question like this gets bogged down in discussions of WHATWG vs IETF we are
> never going to get anywhere. Clearly there are people on both groups who
> have experience in the area and valuable contributions to add, so how do we
> move forward? Simply telling the folks on WHATWG that they've handed the
> spec off to IETF is **NOT** in line with what I recall at the IETF, where I
> recall agreeing to the two WGs working in concert with each other. What we
> have before us is a very trivial question (IMO) that should receive a quick
> response. Can we use this as a proof of concept that the two groups can work
> together? If so, what are the concrete steps?
>
> If we can't figure out how to move forward on such a simple issue, it seems
> to me that we are in an unworkable situation, and should probably just
> continue the work in WHATWG through to a final spec, let implementations
> settle for a while, and then hand it off to IETF for refinement and
> finalization in a v2 spec... (my $0.02)
>
> -Ian
>
> 2010/1/28 Ian Hickson <ian@hixie.ch>
>
>> On Thu, 28 Jan 2010, Julian Reschke wrote:
>> > Ian Hickson wrote:
>> > > ...
>> > > > The WHATWG submitted the document to the IETF
>> > >
>> > > I don't think that's an accurate portrayal of anything that has
>> occurred,
>> > > unless you mean the way my commit script uploads any changes to the
>> draft to
>> > > the tools.ietf.org scripts. That same script also submits the varous
>> > > documents generated from that same source document to the W3C and
>> WHATWG
>> > > source version control repositories.
>> > > ...
>> >
>> > By submitting an Internet Draft according to BCP 78 you grant the IETF
>> certain
>> > rights; it's not relevant whether it was a script or yourself using a
>> browser
>> > or a MUA who posted it.
>> >
>> > You may want to check <http://tools.ietf.org/html/bcp78#section-5.3>.
>>
>> With the exception of the trademark rights, which I don't have and
>> therefore cannot grant, the rights listed there are a subset of the rights
>> the IETF was already granted by virtue of the WHATWG publishing the spec
>> under a very liberal license. So that doesn't appear to be relevant.
>>
>> --
>> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
>> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
>> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>> _______________________________________________
>> hybi mailing list
>> hybi@ietf.org
>> https://www.ietf.org/mailman/listinfo/hybi
>>
>
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>
>
>
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>
>


-- 
>|< Kaazing Corporation >|<
John Fallows | CTO | +1.650.960.8148
888 Villa St, Ste 410 | Mountain View, CA 94041, USA

v2.23.0 | Report a Bug | By Email