Re: [hybi] #1: HTTP Compliance

["Shelby Moore" <shelby@coolpage.com>]

> On Sun, Aug 15, 2010 at 05:10:09AM -0400, Shelby Moore wrote:
>> An HTTP proxy that is compatible with draft/proposal #76 (the
>> contentious
>> one that passes 8 extra characters after the HTTP header without a
>> Content-Length header), would need a specific code path for the
>> WebSocket
>> upgrade request in order to pass 8, and only 8, extra characters
>> (concensus is that passing an arbitrary content length would be a
>> security
>> hole).
>>
>> Isn't it the antithesis of the 80/20 rule and interoperability to
>> require
>> every HTTP proxy in the world to have specific code path for every
>> possible future HTTP Upgrade protocol that comes along?
>
> it's even worse than that, it means that such a reverse-proxy, when shared
> between HTTP and Websocket, will have to accept to blindly forward those 8
> bytes everytime someones *pretends* to talk websocket, without the
> server's
> consent.

I had read that point in past discussion.  I would be tempted to assume 8
characters is relatively harmless security hole (as compared to passing an
arbitrarily unexpected content length, which is what would be required to
have one code path for all proxies for all possible Upgrade extensions
that expect such special treatment), but I will grant you that even 1
unexpected bit is a potential security hole.


> Since reverse-proxies are used everywhere (in IDS, HTTP-aware firewalls,
> caches, load balancers, etc...), it is not even advisable to have per-host
> or per-IP rules considering the large number of hosts that can be
> installed
> behind any of them.

Yeah I know this from experience.  I suppose I save the IP maybe for law
enforcement who want to trace logs back to the client, or for broad-stroke
geographic position.

Proxies are proliferating with wireless too.

It would be an exponentially increasing cost problem of interoperability
if every Upgrade protocol requires a new code path in the proxies.

Let me confess that I have only been studying the entire issue of Comet,
BOSH, WebSocket, and this mailing list, for a several hours.  I came to
this from Wikipedia, because I need to choose an architecture strategy for
a social network I am developing.  So take my comments as one perspective
of an outsider (but an outsider with considerable experience in web
development and successful commercial software both pre-internet and
post).  I am not a networking expert, but I do think a lot about
interoperability in the real world and also in terms of programming
language design.

> So it is very important that if we go the HTTP way, we respect the
> protocol's
> semantics.
>
> In fact, the protocol can be made HTTP compliant by switching two lines in
> the description of the server's behaviour : the server just has to send
> the
> 101 *BEFORE* it reads the /key3/ parameter, and we're done.
>
> Regards,
> Willy