IETF Logo Mail Archive

Re: [hybi] #1: HTTP Compliance

Ian Hickson <ian@hixie.ch> Mon, 17 May 2010 23:57 UTC

Return-Path: <ian@hixie.ch>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19B0E3A6932 for <hybi@core3.amsl.com>; Mon, 17 May 2010 16:57:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.604
X-Spam-Level:
X-Spam-Status: No, score=-0.604 tagged_above=-999 required=5 tests=[AWL=-0.605, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ogePW5odl5Ws for <hybi@core3.amsl.com>; Mon, 17 May 2010 16:57:27 -0700 (PDT)
Received: from looneymail-a4.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by core3.amsl.com (Postfix) with ESMTP id D0A753A67F0 for <hybi@ietf.org>; Mon, 17 May 2010 16:57:27 -0700 (PDT)
Received: from ps20323.dreamhostps.com (ps20323.dreamhost.com [69.163.222.251]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by looneymail-a4.g.dreamhost.com (Postfix) with ESMTP id 5D36C83C8; Mon, 17 May 2010 16:57:20 -0700 (PDT)
Date: Mon, 17 May 2010 23:57:19 +0000
From: Ian Hickson <ian@hixie.ch>
To: Greg Wilkins <gregw@webtide.com>, Dave Cridland <dave@cridland.net>
In-Reply-To: <15307.1274106895.116423@Sputnik>
Message-ID: <Pine.LNX.4.64.1005172259030.22838@ps20323.dreamhostps.com>
References: <068.d07026741c6694cd80652d2a7d34f236@tools.ietf.org> <4BF106AD.6020506@webtide.com> <Pine.LNX.4.64.1005170918310.25609@ps20323.dreamhostps.com> <4BF11920.2080307@webtide.com> <Pine.LNX.4.64.1005171039050.25609@ps20323.dreamhostps.com> <4BF12FF1.2020101@webtide.com> <15307.1274106895.116423@Sputnik>
Content-Language: en-GB-hixie
Content-Style-Type: text/css
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] #1: HTTP Compliance
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2010 23:57:29 -0000

On Mon, 17 May 2010, Greg Wilkins wrote:
> > 
> > If the server is a Web Socket server, and it received a request from a 
> > Web Socket client, then why would it care about HTTP?
> > 
> > If the server is not a Web Socket server, then why would it ever 
> > consider sending a response back using Web Sockets?
> > 
> > If the server is aware of Web Sockets and HTTP, and gets a request 
> > from an HTTP client, then why would it respond with Web Sockets?
> 
> This is not an exhaustive list and you left out the situation that I 
> have been describing in my examples.
> 
>    The server is aware of both web sockets and HTTP and
>    receives a request from a websocket client that is
>    to be rejected.
>
> For one of the many reasons I've outlined in my other email, that 
> request is handled either by code that does not know about websockets, 
> or is unable to act as the websocket spec requires (ie closing 
> connection).
> 
> Thus the only possible choice is for the server to send a compliant HTTP 
> response, which is contrary to the websocket specification.

This is just an HTTP server getting a request it doesn't want to handle -- 
it's perfectly allowed to do whatever it wants from an HTTP point of view, 
and the Web Socket client will disconnect once it sees the handshake is 
not what a Web Socket server would send.

Again, I don't see a problem here.


> Websocket clients are going to receive 404's, 503's etc.
> They are going to have to handle them sensibly and report
> reasonable errors to the user.

Clients can do whatever they want in their user interface. Nothing in the 
spec restricts that.


> There are also arguments that it is desirable to allow
> clients to actually interpret some of these responses.
> It could for example handle a 401 or a 302.

Handling redirects is remarkably complex due to the origin model. Handling 
401s used to be in the spec but was removed based on implementation 
feedback. There's no point us requiring stuff that implementors won't 
implement. (It's not really clear what the UI should be for a 401, since 
the user doesn't know he sent a request. Just prompting the user 
unexpectedly isn't an option because it habituates users to behaviour that 
is too easily replicated by phishing scams.


> Please try reading some of the many examples that I have sent in detail, 
> but in summary:
> 
>   + authentication cookie missing

Why wouldn't this be handled either in the subprotocol or (more likely) by 
the JS before it invokes the WebSocket constructor?


>   + wrong URL given to the websocket client.
>   + poor deployment (with apache or similar in front or
>     in a server that does not support websocket).
>   + some other exception made the webapplication fail
>     to start, so the container sends a 503
>   + some exception in handling the request causes a 500
>   + some stupid caching proxy sends a 200 response

These all seem like variants on the same basic idea: the script tried to 
connect to the server, but the connection failed. There are many more ways 
the connection can fail:

   + man in the middle proxy doesn't let it go through
   + server is overloaded and times out
   + server is offline
   + user is not connected to the network
   + server's DNS is misconfigured

The list goes on. In all of these cases, the script gets an "error" 
event. We can't report anything else to the script, because that would be 
an information leak (e.g. it would let you study intranet topologies). The 
user agent can tell the user whatever it wants, though, that's fine. 
Developers would probably want to see the exact bytes sent back by the 
server, and user agents can definitely expose that.


On Mon, 17 May 2010, Dave Cridland wrote:
>
> Currently, in the XMPP world, there is BOSH. BOSH is a comet-like 
> mechanism for tunelling XMPP (and other things) through HTTP. The URI is 
> sometimes inherent in the client as delivered over HTTP; but it is also 
> sometimes hand configured.
> 
> It makes sense that if we were to use WebSockets in a similar way, then 
> a desktop client might initiate a session with an HTTP service without 
> knowing a priori if it's an HTTP or WebSocket service.

I don't understand how that could happen. Could you elaborate on what kind 
of desktop client you mean? When would you ever connect to a port without 
knowing ahead of time what protocol you want to talk?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

v2.23.0 | Report a Bug | By Email