Re: [hybi] New Version Notification for draft-mcmanus-httpbis-h2-websockets-00.txt

Jesse Wilson <> Mon, 16 October 2017 08:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 109A013448A for <>; Mon, 16 Oct 2017 01:34:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.219
X-Spam-Status: No, score=-1.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6kBtPlBPjN4n for <>; Mon, 16 Oct 2017 01:34:46 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2B7AD13448C for <>; Mon, 16 Oct 2017 01:34:46 -0700 (PDT)
Received: by with SMTP id q132so638584wmd.2 for <>; Mon, 16 Oct 2017 01:34:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JePazUvDQ2/L2ptWWso+YJtPjqnTRByc1unEVDPdJ2Y=; b=TwWuHd3hHFKpoDHTTOpQITu8/Km57CvG6wA4u505+NEb14V4jE65VMQncAbpAicAa+ vsSOxrcbwXgQBRTYHwIMYPcGJ2WIfGhGUtqQ2aLnoAyzvZEvinBFqTcpx67wWui073Cc FjL2H11Vqit+mS/IK3hQAkQ1euAcEGFze//5BlRH7ZaFGN6F2kAn7L9yMCTOEmqJ7vnf y38SP3lMMrqYtdZl3coQ2ulbKf3RbySMJI4+aZ6glvcU5btaQ6uYUWQtREoTLT1ot6yj w6yOAByXpfJ7oO1uwq0kbfT46WaO16vfbWF4OwwtCTyicjaeW+kbmzk+34lspwYu+q/2 eWhg==
X-Gm-Message-State: AMCzsaXzs8oYvhF75QM3LaqkLYOqEbmUAatmex2TVE4llurQRJaKLT+j zGwtUuPZVJwNuTuNuTM8jcSJAWgD41mncnDgK0g=
X-Google-Smtp-Source: AOwi7QDUGp4RmPrIvCRjqIRvzdE80BRX51p0OCw4O3rz6kto0DF2NCjNE4/jeuJYXsTpIdVAWsDk35IQAOvTy1qGg34=
X-Received: by with SMTP id 26mr8178377wrx.137.1508142884457; Mon, 16 Oct 2017 01:34:44 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Jesse Wilson <>
Date: Mon, 16 Oct 2017 08:34:32 +0000
Message-ID: <>
To: Martin Thomson <>
Cc: Andy Green <>, Cory Benfield <>, HTTP Working Group <>, Patrick McManus <>, Patrick McManus <>, hybi <>
Content-Type: multipart/alternative; boundary="001a1146c57ee616a8055ba5e0e4"
Archived-At: <>
Subject: Re: [hybi] New Version Notification for draft-mcmanus-httpbis-h2-websockets-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Oct 2017 08:34:48 -0000

I think this proposal is a nice shortcut to getting the benefits of
websockets on HTTP/2 without redesigning much. It’s something we could
probably add to OkHttp and MockWebServer in just a few days.

There’s a policy question on what clients should do when a websocket is the
first request to a target host. We can build an HTTP/2 connection and then
hope to layer websockets on top, or build a bare websockets connection
directly and forgo HTTP/2 multiplexing. Browsers might choose to persist
settings to inform this decision. Or it would be handy to hint this in the
ALPN protocols, though that would require the TLS layer to be aware of this

It’s worth explaining what should happen if a naughty client doesn’t
attempt a websocket upgrade within the DATA frames of a stream established
for that purpose. In particular, a naïve webserver might honor any HTTP/1
request here; that seems like a potential attack vector. Suppose I send

  GET /admin HTTP/1.1
  host: localhost

Can I can trick a server into treating my request as originating from
localhost? The HTTP/2 layer will have already routed the authority for this
request but an attacker could contradict that!

Nice to see a websockets and HTTP/2 proposal. Thanks!

– Jesse