Re: [hybi] Authentication headers

Wellington Fernando de Macedo <wfernandom2004@gmail.com> Thu, 22 July 2010 00:07 UTC

Return-Path: <wfernandom2004@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B30923A68F0 for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 17:07:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id imA8ABb-qr2F for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 17:07:32 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 384803A6840 for <hybi@ietf.org>; Wed, 21 Jul 2010 17:07:32 -0700 (PDT)
Received: by qwe5 with SMTP id 5so3126366qwe.31 for <hybi@ietf.org>; Wed, 21 Jul 2010 17:07:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=kkv2f07O5n/NrgICIVx2T8INEoM87jxxXOSjfVKr8iQ=; b=MrraNNcJsdrhRNFNG9FKfrvj0MLuCxiu1Yfj35Dz2R0E7PbqC3UPAZBSb48UO3LhKU HUTpqYXroggiZGP3l0j53nLkUq/06L47KIeHG1R7LINSIxF6Hbm2b+1jC/U3Q8KVz1cW 6vcSuPbyBWDX4OC0XEZciN2ykVrmEuKZbq0z8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=yDTnDmGAmSVqhRGrVYJaV8pCrSnoZBLfk2IjVekcKCYPCqTmhgpun+WH8WfLnN5H6O s3e8HOJu8MDAxLI0vITyHrDTOX2sDLyubHV2Xrcnl2aa84KG/UqNXOG7FFHXT0cR/9FV 6tHs8kJ1MUXfPnUnrBqbI9wPCC6jGC8pcJ2Dg=
MIME-Version: 1.0
Received: by 10.224.79.151 with SMTP id p23mr718301qak.312.1279757268756; Wed, 21 Jul 2010 17:07:48 -0700 (PDT)
Received: by 10.229.55.10 with HTTP; Wed, 21 Jul 2010 17:07:48 -0700 (PDT)
In-Reply-To: <AANLkTinMjVTaAf3F9HShN2zTfSMNnH-apirBjtR_22sF@mail.gmail.com>
References: <AANLkTimo9g4Tvzd1RekVXKtTpOhRz58jr7VLqhS-Wrdf@mail.gmail.com> <Pine.LNX.4.64.1007210653190.7242@ps20323.dreamhostps.com> <AANLkTinMjVTaAf3F9HShN2zTfSMNnH-apirBjtR_22sF@mail.gmail.com>
Date: Wed, 21 Jul 2010 21:07:48 -0300
Message-ID: <AANLkTil1Y2HtE6yophn8uNznJTPAFNx_jiKlIqPt6p-z@mail.gmail.com>
From: Wellington Fernando de Macedo <wfernandom2004@gmail.com>
To: Ian Hickson <ian@hixie.ch>
Content-Type: multipart/alternative; boundary=00c09f9c974d672e8e048beeb5e8
Cc: hybi@ietf.org
Subject: Re: [hybi] Authentication headers
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2010 00:07:33 -0000

> Also, it isn't true. Again, all available Mozilla's http authentication
(like digest) work with websocket.

Well, I said something wrong... Actually digest with websockets just works
when connecting to the proxy.
Sorry.

2010/7/21 Wellington Fernando de Macedo <wfernandom2004@gmail.com>

> > For example, the only authentication scheme that would work and be secure
> is Basic auth
> > over TLS to the same host as served the HTML page.
>
> Also, it isn't true. Again, all available Mozilla's http authentication
> (like digest) work with websocket.
>
> 2010/7/21 Ian Hickson <ian@hixie.ch>
>
> On Mon, 7 Jun 2010, Wellington Fernando de Macedo wrote:
>> >
>> > I'm updating the Mozilla's implementation of the WS protocol to its
>> > latest version (v.76). I know that handling the 401 http response was
>> > already removed in the v75. But now I've noted that even the http
>> > Authorization header has been removed.
>> >
>> > Well, I think that the 401 http status was removed in order to prevent
>> > the browser to open unexpected auth dialogs to the user. Actually, I
>> > know there is the cookie information, but I think it isn't always
>> > enough. So, I would like to ask, why can't a "normal" request include
>> > the Authorization header from its page origin?
>>
>> There's some commented-out text to that effect, but frankly it's not clear
>> to me that it would be particularly useful in practice. For example, the
>> only authentication scheme that would work and be secure is Basic auth
>> over TLS to the same host as served the HTML page. In practice, only very
>> few sites use that combination of technologies; the cost of supporting it
>> seems higher than the benefit gained from it. It also seems unreliable; it
>> relies on the browser remembering the credentials used when loading the
>> Web page, for instance. There are also a number of situations where it
>> would seem that it should work but where it won't, for example if a page
>> on one path uses pushState() to go to another path and then opens a
>> WebSocket connection to the same host with the second path, the UA would
>> not know the realm of the second path and thus wouldn't know to include
>> the authentication information.
>>
>> Basically, it seemed hacky. I couldn't really find a compelling argument
>> to support this rather than having it at the application layer. (You can
>> still leverage the basic auth feature that way, just have the server send
>> back a unique token that identifies the user's session and then pass that
>> back on the WebSocket connection.) Cookies are supported because they are
>> _very_ widely used, so there's something to reuse. HTTP auth is used so
>> rarely that I'd seriously consider dropping it from HTTP at this point; I
>> really don't think it's worth adding to WebSockets.
>>
>> --
>> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
>> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
>> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>>
>
>