Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?

Maciej Stachowiak <mjs@apple.com> Thu, 28 January 2010 22:55 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 57DBB3A690B for <hybi@core3.amsl.com>; Thu, 28 Jan 2010 14:55:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.251
X-Spam-Level:
X-Spam-Status: No, score=-105.251 tagged_above=-999 required=5 tests=[AWL=-0.049, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iGnSwLzQdewH for <hybi@core3.amsl.com>; Thu, 28 Jan 2010 14:55:35 -0800 (PST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 00D353A68AD for <hybi@ietf.org>; Thu, 28 Jan 2010 14:55:34 -0800 (PST)
Received: from relay15.apple.com (relay15.apple.com [17.128.113.54]) by mail-out4.apple.com (Postfix) with ESMTP id A1769890B13C for <hybi@ietf.org>; Thu, 28 Jan 2010 14:55:54 -0800 (PST)
X-AuditID: 11807136-b7bafae000000e8d-a9-4b6215fa5d22
Received: from gertie.apple.com (gertie.apple.com [17.151.62.15]) by relay15.apple.com (Apple SCV relay) with SMTP id 91.9A.03725.AF5126B4; Thu, 28 Jan 2010 14:55:54 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_WJO8JDuPUw+Iz/1jDZI8nQ)"
Received: from [17.151.87.97] by gertie.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KWZ00I3VBP4IB30@gertie.apple.com> for hybi@ietf.org; Thu, 28 Jan 2010 14:55:53 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <bbeaa26f1001281449q1a6e1813q3f537fe15a5a9d60@mail.gmail.com>
Date: Thu, 28 Jan 2010 14:55:52 -0800
Message-id: <10CFF7AB-9954-4876-B4D9-4E7C4E040045@apple.com>
References: <de17d48e1001280012i2657b587i83cda30f50013e6b@mail.gmail.com> <4B614CEC.2050400@ericsson.com> <Pine.LNX.4.64.1001280856380.22020@ps20323.dreamhostps.com> <4B616F17.4030402@ericsson.com> <4B619223.60408@webtide.com> <Pine.LNX.4.64.1001282141080.22020@ps20323.dreamhostps.com> <4B620B8F.6030706@gmx.de> <Pine.LNX.4.64.1001282217320.22053@ps20323.dreamhostps.com> <bbeaa26f1001281449q1a6e1813q3f537fe15a5a9d60@mail.gmail.com>
To: ifette@google.com
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2010 22:55:36 -0000

+1

We at Apple are interested in moving the technology forward, not so much in debating the politics. Can we at least keep procedural mattes out of threads about technical questions?

 - Maciej

On Jan 28, 2010, at 2:49 PM, Ian Fette (イアンフェッティ) wrote:

> So, moving back to the original question... I am very concerned here. A relatively straightforward question was asked, with rationale for the question. "May/Should WebSocket use HttpOnly cookie while Handshaking?
> I think it would be useful to use HttpOnly cookie on WebSocket so that we could authenticate the WebSocket connection by the auth token cookie which might be HttpOnly for security reason."
> 
> It seems reasonable to assume that Web Sockets will be used in an environment where users are authenticated, and that in many cases the Web Socket will be established once the user has logged into a page via HTTP/HTTPS. It seems furthermore reasonable to assume that a server may track the logged-in-ness of the client using a HttpOnly cookie, and that the server-side logic to check whether a user is already logged in could easily be leveraged for Web Sockets, since it starts as an HTTP connection that includes cookies and is then upgraded. It seems like a very straightforward thing to say "Yes, it makes sense to send the HttpOnly cookie for Web Socket connections".
> 
> Instead, we are bogged down in politics.
> 
> How are we to move forward on this spec? We have multiple server implementations, there are multiple client implementations, if a simple question like this gets bogged down in discussions of WHATWG vs IETF we are never going to get anywhere. Clearly there are people on both groups who have experience in the area and valuable contributions to add, so how do we move forward? Simply telling the folks on WHATWG that they've handed the spec off to IETF is **NOT** in line with what I recall at the IETF, where I recall agreeing to the two WGs working in concert with each other. What we have before us is a very trivial question (IMO) that should receive a quick response. Can we use this as a proof of concept that the two groups can work together? If so, what are the concrete steps? 
> 
> If we can't figure out how to move forward on such a simple issue, it seems to me that we are in an unworkable situation, and should probably just continue the work in WHATWG through to a final spec, let implementations settle for a while, and then hand it off to IETF for refinement and finalization in a v2 spec... (my $0.02)
> 
> -Ian
> 
> 2010/1/28 Ian Hickson <ian@hixie.ch>
> On Thu, 28 Jan 2010, Julian Reschke wrote:
> > Ian Hickson wrote:
> > > ...
> > > > The WHATWG submitted the document to the IETF
> > >
> > > I don't think that's an accurate portrayal of anything that has occurred,
> > > unless you mean the way my commit script uploads any changes to the draft to
> > > the tools.ietf.org scripts. That same script also submits the varous
> > > documents generated from that same source document to the W3C and WHATWG
> > > source version control repositories.
> > > ...
> >
> > By submitting an Internet Draft according to BCP 78 you grant the IETF certain
> > rights; it's not relevant whether it was a script or yourself using a browser
> > or a MUA who posted it.
> >
> > You may want to check <http://tools.ietf.org/html/bcp78#section-5.3>.
> 
> With the exception of the trademark rights, which I don't have and
> therefore cannot grant, the rights listed there are a subset of the rights
> the IETF was already granted by virtue of the WHATWG publishing the spec
> under a very liberal license. So that doesn't appear to be relevant.
> 
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
> 
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi