IETF Logo Mail Archive

Re: [hybi] Concerns about Origin

Sylvain Hellegouarch <sh@defuze.org> Mon, 22 November 2010 21:43 UTC

Return-Path: <sh@defuze.org>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3FA9628C160 for <hybi@core3.amsl.com>; Mon, 22 Nov 2010 13:43:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.676
X-Spam-Level:
X-Spam-Status: No, score=-1.676 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLFPza0myVeG for <hybi@core3.amsl.com>; Mon, 22 Nov 2010 13:43:26 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 8D68228C119 for <hybi@ietf.org>; Mon, 22 Nov 2010 13:43:25 -0800 (PST)
Received: by qwb7 with SMTP id 7so2845878qwb.31 for <hybi@ietf.org>; Mon, 22 Nov 2010 13:44:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.224.67.207 with SMTP id s15mr5512900qai.319.1290462261217; Mon, 22 Nov 2010 13:44:21 -0800 (PST)
Received: by 10.220.162.72 with HTTP; Mon, 22 Nov 2010 13:44:21 -0800 (PST)
X-Originating-IP: [82.229.61.197]
In-Reply-To: <AANLkTi=qKiqcKPf3hcOzD5QfWvU-6ncfhMO6hwyV9sxM@mail.gmail.com>
References: <op.vmkpgllmidj3kv@simon-pieterss-macbook.local> <AANLkTi=hVXa1yFbLr-pRS25gA2F__X3bM9w08O99my6s@mail.gmail.com> <op.vmky62ixidj3kv@dhcp-190.linkoping.osa> <AANLkTi=qKiqcKPf3hcOzD5QfWvU-6ncfhMO6hwyV9sxM@mail.gmail.com>
Date: Mon, 22 Nov 2010 22:44:21 +0100
Message-ID: <AANLkTimb8RQuFK43NjtbwEb4ap2sc3ASvoKotT1dzZXz@mail.gmail.com>
From: Sylvain Hellegouarch <sh@defuze.org>
To: John Tamplin <jat@google.com>
Content-Type: multipart/alternative; boundary="0015175cb3baad0a580495ab2860"
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Concerns about Origin
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2010 21:43:27 -0000

On Mon, Nov 22, 2010 at 5:58 PM, John Tamplin <jat@google.com> wrote:

> On Mon, Nov 22, 2010 at 11:38 AM, Simon Pieters <simonp@opera.com> wrote:
> >> APIs for server apps should have a hook to the handshake event, so
> >> that apps can participate in the handshake. Apps have an opportunity
> >> here to check Origin, set cookies, etc. per connection.
> >
> > pywebsocket allows apps to do extra checks in the handshake, but I'd like
> to
> > take a step further and make the origin choice a required step for the
> app
> > writer.
>
> I would prefer the default behavior of the server to be that the
> origin has to match exactly, but that the app can override it, or when
> the app is registered with the server it gives a list of acceptable
> Origins.
>
>
That's definitely how I'd implement it as well. The case that's left is when
the app doesn't provide any Origin, what should the server do? Default to
Origin=Host? Or should the request be rejected (I don' t quite see the point
of that mind you). It's the end, it's similar to the Sec-WebSocket-Protocol
header which is left up to the app writer to decide how to react and either
case.

-- 
- Sylvain
http://www.defuze.org
http://twitter.com/lawouach

v2.23.0 | Report a Bug | By Email