IETF Logo Mail Archive

Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?

Salvatore Loreto <salvatore.loreto@ericsson.com> Mon, 01 February 2010 10:26 UTC

Return-Path: <salvatore.loreto@ericsson.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A83A3A692F for <hybi@core3.amsl.com>; Mon, 1 Feb 2010 02:26:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.158
X-Spam-Level:
X-Spam-Status: No, score=-6.158 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMrH1J6mlOBx for <hybi@core3.amsl.com>; Mon, 1 Feb 2010 02:26:04 -0800 (PST)
Received: from mailgw5.ericsson.se (mailgw5.ericsson.se [193.180.251.36]) by core3.amsl.com (Postfix) with ESMTP id E6EA93A692B for <hybi@ietf.org>; Mon, 1 Feb 2010 02:26:03 -0800 (PST)
X-AuditID: c1b4fb24-b7cfcae000005f96-c6-4b66ac5c8079
Received: from esealmw127.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw5.ericsson.se (Symantec Mail Security) with SMTP id 51.8D.24470.C5CA66B4; Mon, 1 Feb 2010 11:26:36 +0100 (CET)
Received: from esealmw129.eemea.ericsson.se ([153.88.254.177]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Mon, 1 Feb 2010 11:26:36 +0100
Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Mon, 1 Feb 2010 11:26:35 +0100
Received: from nomadiclab.lmf.ericsson.se (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 6A96C2468; Mon, 1 Feb 2010 12:26:32 +0200 (EET)
Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 326C121A41; Mon, 1 Feb 2010 12:26:32 +0200 (EET)
Received: from [IPv6:::1] (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id D0BDC219D2; Mon, 1 Feb 2010 12:26:31 +0200 (EET)
Message-ID: <4B66AC57.6020504@ericsson.com>
Date: Mon, 01 Feb 2010 12:26:31 +0200
From: Salvatore Loreto <salvatore.loreto@ericsson.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20100120 Fedora/3.0.1-1.fc12 Thunderbird/3.0.1
MIME-Version: 1.0
To: Maciej Stachowiak <mjs@apple.com>
References: <de17d48e1001280012i2657b587i83cda30f50013e6b@mail.gmail.com> <4B614CEC.2050400@ericsson.com> <Pine.LNX.4.64.1001280856380.22020@ps20323.dreamhostps.com> <4B616F17.4030402@ericsson.com> <4B619223.60408@webtide.com> <Pine.LNX.4.64.1001282141080.22020@ps20323.dreamhostps.com> <4B620B8F.6030706@gmx.de> <Pine.LNX.4.64.1001282217320.22053@ps20323.dreamhostps.com> <bbeaa26f1001281449q1a6e1813q3f537fe15a5a9d60@mail.gmail.com> <4B627C98.60406@ericsson.com> <bbeaa26f1001282222p1ccb6a34s7fe79609c4a832e5@mail.gmail.com> <4B62ECFA.5080304@webtide.com> <C485F6C3-642B-4897-A034-E4A4BC4316B5@apple.com>
In-Reply-To: <C485F6C3-642B-4897-A034-E4A4BC4316B5@apple.com>
Content-Type: multipart/alternative; boundary="------------040102080202010006060905"
X-Virus-Scanned: ClamAV using ClamSMTP
X-OriginalArrivalTime: 01 Feb 2010 10:26:35.0585 (UTC) FILETIME=[07F34310:01CAA329]
X-Brightmail-Tracker: AAAAAA==
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2010 10:26:10 -0000

-as individual-

I agree too and I see the need to use HttpOnly.
I was just trying to highlight that at the end WebSocket does not only 
share port with HTTP/Web Server,
it also supposed to share other information (i.e. in this case cookies!!!).
The spec implicitly assume that the WebSocket server can access those 
information that the WebServer posses.



On 01/29/2010 08:22 AM, Ian Fette (????????) wrote:
> 2010/1/28 Salvatore Loreto <salvatore.loreto@ericsson.com 
> <mailto:salvatore.loreto@ericsson.com>>
>
>     Hi,
>
>     thanks to have moved back to the original question.
>     My original mail my was a call to discuss the technical aspects
>     openly in the mailing list, so to let the spec move forward.
>
>
>     I agree that it would be useful to use cookie on WebSocket,
>     however I have some perhaps stupid doubts and questions on its
>     usage that I'd like to be clarified
>
>     1) Is the usage of cookies optional or it is mandatory?
>     what will happen in the few cases where the WebSocket will be
>     established without the user has already logged into a page?
>
>
> I assume this would be left up to the application. If the server is 
> expecting some sort of authentication cookie and doesn't get one, it 
> can attempt to do authentication in an application specific manner 
> over the websocket connection, it can close the websocket connection, 
> it can transmit some applicaiton-specific error message to the client 
> over the websocket connection, etc.

I'd like the spec be more detailed about the correct server behaviour in 
this situation.


regards
Sal


On 01/30/2010 04:28 AM, Maciej Stachowiak wrote:
>
> On Jan 29, 2010, at 6:13 AM, Greg Wilkins wrote:
>
>> Ian Fette (????????) wrote:
>>
>>>
>>> cookies are already sent with WS, the only question is whether that
>>> includes or excludes cookies that are HttpOnly
>>
>> The upgrade request is a HTTP requests (well at least it should be
>> a HTTP request, and not just something that strongly resembles one),
>> so I believe HttpOnly cookies should be included.
>>
>> This would not expose the cookie and it's value to the
>> javascript in browser, nor can I think of any way that this reduces
>> the security provided by HttpOnly.
>
> I agree. The purpose of HttpOnly is to prevent the cookie from being 
> seen by scripting APIs, not to limit the network protocols over which 
> it is provided. Thus, sending it over WebSocket connections would be 
> in line with its purpose, and I think this is the case whether or not 
> we think the WebSocket upgrade request is or is not HTTP.
>
> Regards,
> Maciej
>

v2.23.0 | Report a Bug | By Email