Re: [hybi] #1: HTTP Compliance
Ian Hickson <ian@hixie.ch> Mon, 17 May 2010 23:57 UTC
Return-Path: <ian@hixie.ch>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19B0E3A6932 for <hybi@core3.amsl.com>; Mon, 17 May 2010 16:57:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.604
X-Spam-Level:
X-Spam-Status: No, score=-0.604 tagged_above=-999 required=5 tests=[AWL=-0.605, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ogePW5odl5Ws for <hybi@core3.amsl.com>; Mon, 17 May 2010 16:57:27 -0700 (PDT)
Received: from looneymail-a4.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by core3.amsl.com (Postfix) with ESMTP id D0A753A67F0 for <hybi@ietf.org>; Mon, 17 May 2010 16:57:27 -0700 (PDT)
Received: from ps20323.dreamhostps.com (ps20323.dreamhost.com [69.163.222.251]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by looneymail-a4.g.dreamhost.com (Postfix) with ESMTP id 5D36C83C8; Mon, 17 May 2010 16:57:20 -0700 (PDT)
Date: Mon, 17 May 2010 23:57:19 +0000
From: Ian Hickson <ian@hixie.ch>
To: Greg Wilkins <gregw@webtide.com>, Dave Cridland <dave@cridland.net>
In-Reply-To: <15307.1274106895.116423@Sputnik>
Message-ID: <Pine.LNX.4.64.1005172259030.22838@ps20323.dreamhostps.com>
References: <068.d07026741c6694cd80652d2a7d34f236@tools.ietf.org> <4BF106AD.6020506@webtide.com> <Pine.LNX.4.64.1005170918310.25609@ps20323.dreamhostps.com> <4BF11920.2080307@webtide.com> <Pine.LNX.4.64.1005171039050.25609@ps20323.dreamhostps.com> <4BF12FF1.2020101@webtide.com> <15307.1274106895.116423@Sputnik>
Content-Language: en-GB-hixie
Content-Style-Type: text/css
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] #1: HTTP Compliance
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2010 23:57:29 -0000
On Mon, 17 May 2010, Greg Wilkins wrote: > > > > If the server is a Web Socket server, and it received a request from a > > Web Socket client, then why would it care about HTTP? > > > > If the server is not a Web Socket server, then why would it ever > > consider sending a response back using Web Sockets? > > > > If the server is aware of Web Sockets and HTTP, and gets a request > > from an HTTP client, then why would it respond with Web Sockets? > > This is not an exhaustive list and you left out the situation that I > have been describing in my examples. > > The server is aware of both web sockets and HTTP and > receives a request from a websocket client that is > to be rejected. > > For one of the many reasons I've outlined in my other email, that > request is handled either by code that does not know about websockets, > or is unable to act as the websocket spec requires (ie closing > connection). > > Thus the only possible choice is for the server to send a compliant HTTP > response, which is contrary to the websocket specification. This is just an HTTP server getting a request it doesn't want to handle -- it's perfectly allowed to do whatever it wants from an HTTP point of view, and the Web Socket client will disconnect once it sees the handshake is not what a Web Socket server would send. Again, I don't see a problem here. > Websocket clients are going to receive 404's, 503's etc. > They are going to have to handle them sensibly and report > reasonable errors to the user. Clients can do whatever they want in their user interface. Nothing in the spec restricts that. > There are also arguments that it is desirable to allow > clients to actually interpret some of these responses. > It could for example handle a 401 or a 302. Handling redirects is remarkably complex due to the origin model. Handling 401s used to be in the spec but was removed based on implementation feedback. There's no point us requiring stuff that implementors won't implement. (It's not really clear what the UI should be for a 401, since the user doesn't know he sent a request. Just prompting the user unexpectedly isn't an option because it habituates users to behaviour that is too easily replicated by phishing scams. > Please try reading some of the many examples that I have sent in detail, > but in summary: > > + authentication cookie missing Why wouldn't this be handled either in the subprotocol or (more likely) by the JS before it invokes the WebSocket constructor? > + wrong URL given to the websocket client. > + poor deployment (with apache or similar in front or > in a server that does not support websocket). > + some other exception made the webapplication fail > to start, so the container sends a 503 > + some exception in handling the request causes a 500 > + some stupid caching proxy sends a 200 response These all seem like variants on the same basic idea: the script tried to connect to the server, but the connection failed. There are many more ways the connection can fail: + man in the middle proxy doesn't let it go through + server is overloaded and times out + server is offline + user is not connected to the network + server's DNS is misconfigured The list goes on. In all of these cases, the script gets an "error" event. We can't report anything else to the script, because that would be an information leak (e.g. it would let you study intranet topologies). The user agent can tell the user whatever it wants, though, that's fine. Developers would probably want to see the exact bytes sent back by the server, and user agents can definitely expose that. On Mon, 17 May 2010, Dave Cridland wrote: > > Currently, in the XMPP world, there is BOSH. BOSH is a comet-like > mechanism for tunelling XMPP (and other things) through HTTP. The URI is > sometimes inherent in the client as delivered over HTTP; but it is also > sometimes hand configured. > > It makes sense that if we were to use WebSockets in a similar way, then > a desktop client might initiate a session with an HTTP service without > knowing a priori if it's an HTTP or WebSocket service. I don't understand how that could happen. Could you elaborate on what kind of desktop client you mean? When would you ever connect to a port without knowing ahead of time what protocol you want to talk? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
- [hybi] #1: HTTP Compliance hybi issue tracker
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Maciej Stachowiak
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Vladimir Katardjiev
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Maciej Stachowiak
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Julian Reschke
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Salvatore Loreto
- Re: [hybi] #1: HTTP Compliance Dave Cridland
- Re: [hybi] #1: HTTP Compliance Scott Ferguson
- Re: [hybi] #1: HTTP Compliance Maciej Stachowiak
- Re: [hybi] #1: HTTP Compliance Maciej Stachowiak
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Daniel Stenberg
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Bjoern Hoehrmann
- Re: [hybi] #1: HTTP Compliance Bjoern Hoehrmann
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Pieter Hintjens
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Scott Ferguson
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance John Tamplin
- Re: [hybi] #1: HTTP Compliance John Tamplin
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance John Tamplin
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance John Tamplin
- Re: [hybi] #1: HTTP Compliance Julian Reschke
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance Julian Reschke
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- [hybi] An input document (was: #1: HTTP Complianc… S Moonesamy
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance gustav trede
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance gustav trede
- Re: [hybi] #1: HTTP Compliance Daniel Stenberg
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Adam Barth
- Re: [hybi] #1: HTTP Compliance L.Wood
- Re: [hybi] #1: HTTP Compliance Adam Barth
- Re: [hybi] #1: HTTP Compliance Julian Reschke
- [hybi] Objections (was: #1: HTTP Compliance) S Moonesamy
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Greg Wilkins