Re: [hybi] Fwd: New Version Notification for draft-mcmanus-httpbis-h2-websockets-01.txt

Patrick McManus <> Fri, 27 October 2017 17:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8DBCB138A38 for <>; Fri, 27 Oct 2017 10:14:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.734
X-Spam-Status: No, score=-0.734 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SORBS_SPAM=0.5, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TF7HhmdckBsN for <>; Fri, 27 Oct 2017 10:14:03 -0700 (PDT)
Received: from ( [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by (Postfix) with ESMTP id 33D7C1384B5 for <>; Fri, 27 Oct 2017 10:14:03 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPSA id 390B93A01B for <>; Fri, 27 Oct 2017 13:14:02 -0400 (EDT)
Received: by with SMTP id n69so8149667lfn.2 for <>; Fri, 27 Oct 2017 10:14:02 -0700 (PDT)
X-Gm-Message-State: AMCzsaXLej9EGv+kc1HKrpNka4bxtYd/YJl9dLnKIvdBj/+TJMdbVAtK 5Y7S7c/sG/LDjqWSXRmjQ6/UAQi+E6jAwUTdic0=
X-Google-Smtp-Source: ABhQp+R61gA3zY1TX7wOoypx6ViEkTtRyN0C3cJ9E07GlCfFSdnYgBmMFIMxYAAZRwwuUE3VD42OGS3eWeVXG+2QSxw=
X-Received: by with SMTP id l12mr493763ljb.44.1509124440821; Fri, 27 Oct 2017 10:14:00 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 27 Oct 2017 10:13:59 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
From: Patrick McManus <>
Date: Fri, 27 Oct 2017 13:13:59 -0400
X-Gmail-Original-Message-ID: <>
Message-ID: <>
To: John Fallows <>
Cc: Patrick McManus <>, hybi <>, HTTP Working Group <>
Content-Type: multipart/alternative; boundary="f403045f8c5637970e055c8a6ab6"
Archived-At: <>
Subject: Re: [hybi] Fwd: New Version Notification for draft-mcmanus-httpbis-h2-websockets-01.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Oct 2017 17:14:05 -0000

On Fri, Oct 27, 2017 at 12:42 PM, John Fallows <>

> Hi Patrick,
> There seems to be no requirement to change the scheme to wss for a
> functional handshake using TUNNEL method plus :protocol header with value
> websocket.

I'm not changing the scheme. It was also wss in http/1.1 as well - its just
that scheme does not typically appear on the wire in that protocol. My
reference to 7540 explicitly talks about non http schemes (ftp is
the most common). That doesn't make CONNECT/TUNNEL non http.. it just means
http is being used to interact with a non-http service..

> In the example, the target URL used by the WebSocket on the wire would be

no.. the target url is wss:// and this is a
definition of how to use h2 to access that service. This document doesn't
say anything about how to access an https:// schemed url. If the URL were it would be rejected by a websocket client which
requires ws or wss. PAC evaluation also expects ws/wss schemes.

> The cross-origin security checks (etc) are enforced by HTTP-specific
> validation of the request headers prior to processing the TUNNEL method
> semantics. If the validation fails, then the request never became a
> WebSocket. Only after a successful HTTP response is provided can the pair
> of HTTP/2 streams be considered a WebSocket.

maybe you're confusing protocol with scheme?

> Even after this was cleaned up to be a fully HTTP/1.1 compliant handshake,
> as part of the work in IETF HyBi, the "ws" and "wss" schemes remained in
> use on the client (only) but were deliberately not exposed on the wire.

whether or not the scheme is on the wire is a property of http - not
something hybi was ever in a position to standardize. (thus the 'cleanup'.)

one weird note of 7230 5.3.2 requires that servers MUST accept absolute
form requests even though clients are forbidden from sending them to
non-proxies. The absolute form here would be wss://.. so this is an h1
thing too it just wasn't obvious.

> Having separate schemes for protocols that must start out life as HTTP
> forces questions about port defaulting for those schemes. Since the "ws"
> and "wss" schemes ended up being treated the same as "http" and "https" in
> terms of port defaulting, there doesn't seem to be much value in
> propagating the "wss" scheme to the server especially when the :protocol
> header is present with value "websocket".

you can of course imagine :protocol changing to be websocket2 with the
scheme not changing.

> Hope this is helpful.
> Kind Regards,
> John Fallows
> CTO, Kaazing
> On Fri, Oct 27, 2017 at 5:33 AM Patrick McManus <>
> wrote:
>> thanks for the feedback.. start with a tightly scoped issue first:
>> On Thu, Oct 26, 2017 at 3:47 PM, John Fallows <>
>> wrote:
>>> Note also that the scheme is "https" rather than "wss" because the HTTP
>>> request is still "https" until *after* the TUNNEL has been established, and
>>> the TUNNEL protocol being selected is based on :protocol header rather
>>> than the :scheme header.
>> I don't think so.. there is no https target URL in play here.  7540
>> talks about non http schemes allowing the use of HTTP to interact
>> with non-http services this way.
>> --
> *John Fallows*
> CTO*  |  *đź“ž+1.415.215.6597
> *----------------------------------------------------------------------*
> KAAZING >|<  when real-time matters™
> <>  |  Blog
> <>  |  Twitter <>