Re: [hybi] Web sockets and existing HTTP stacks
Maciej Stachowiak <mjs@apple.com> Wed, 03 February 2010 08:22 UTC
Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AEEF13A6A8B for <hybi@core3.amsl.com>; Wed, 3 Feb 2010 00:22:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.42
X-Spam-Level:
X-Spam-Status: No, score=-106.42 tagged_above=-999 required=5 tests=[AWL=0.179, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dw-Cbor-sEI5 for <hybi@core3.amsl.com>; Wed, 3 Feb 2010 00:22:43 -0800 (PST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id EACB93A6A8A for <hybi@ietf.org>; Wed, 3 Feb 2010 00:22:43 -0800 (PST)
Received: from relay16.apple.com (relay16.apple.com [17.128.113.55]) by mail-out4.apple.com (Postfix) with ESMTP id A113F89E5478 for <hybi@ietf.org>; Wed, 3 Feb 2010 00:23:25 -0800 (PST)
X-AuditID: 11807137-b7bd4ae000000f0d-63-4b69327dcd46
Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay16.apple.com (Apple SCV relay) with SMTP id B3.68.03853.D72396B4; Wed, 3 Feb 2010 00:23:25 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.151.86.222] by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KX900LL8BB0EJ80@elliott.apple.com> for hybi@ietf.org; Wed, 03 Feb 2010 00:23:25 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <4B692EDB.1060300@gmx.de>
Date: Wed, 03 Feb 2010 00:23:24 -0800
Message-id: <E9DF7FE9-70F0-4268-8CEF-1007D71F9FBB@apple.com>
References: <557ae280911171402v7546e5e7n93a1e57f87dc10e5@mail.gmail.com> <5c902b9e0912181640n497169cdrfa71f9a2908e6ef3@mail.gmail.com> <20091219005442.GA10949@shareable.org> <4B2C287E.1030006@webtide.com> <Pine.LNX.4.64.1001310835410.3846@ps20323.dreamhostps.com> <4B67A237.2040505@webtide.com> <ad99d8ce1002012139l3b8f525bj9caf7861332f3d18@mail.gmail.com> <1427E183-FDBC-4854-9455-B93AB28DAB03@apple.com> <ad99d8ce1002012343n132169f8wbaacc1cf4efe2f87@mail.gmail.com> <31123817-6D3F-489D-9F48-109AC93E6769@apple.com> <ad99d8ce1002030000i566f3517qddf4e62f386c9211@mail.gmail.com> <4B692EDB.1060300@gmx.de>
To: Julian Reschke <julian.reschke@gmx.de>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: hybi@ietf.org
Subject: Re: [hybi] Web sockets and existing HTTP stacks
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 08:22:44 -0000
On Feb 3, 2010, at 12:07 AM, Julian Reschke wrote: > Roberto Peon wrote: >> On Tue, Feb 2, 2010 at 5:25 PM, Maciej Stachowiak <mjs@apple.com <mailto:mjs@apple.com>> wrote: >> On Feb 1, 2010, at 11:43 PM, Roberto Peon wrote: >>> Simple-- the proxy won't know that the response from the server is >>> websocket specific, and may reorder things. >>> You should not assume that the termination point (the "host") is a >>> server. It could be a reverse proxy. In such cases, the proxy >>> needs to treat the response as HTTP until it has been fully read >>> and interpreted. >>> >>> This response IS HTTP, so HTTP rules apply. It isn't a some random >>> more-restrictive subset of the response rules. It is still HTTP at >>> that point. That means that you don't get to add additional >>> restrictions on that request. If you do, then you're creating >>> headaches for everyone. >> OK, just to clarify, are you saying that it's specifically the >> constraint on header ordering that is a problem? I'm trying to >> figure out which specific requirements are problematic and why. For >> example, is the requirement to have some special text in the status >> line acceptable? >> Having some required header ordering is a problem. >> As for special text in the status line, I'd have to examine the spec again to be sure-- if proxies have the ability to drop the status text (the third part of the first line of the HTTP response, which I'm assuming we're talking about here), then it shouldn't be relied upon. >> ... > > I don't think HTTP specifies this. As Status-Phrase is just informational, I wouldn't surprised when it happened, or when it was rewritten. I'm pretty sure that there are server frameworks where it can't easily be set. I am pretty sure a lot of popular servers do let modules/extensions/scripts running inside them set it, so I don't think this is a huge practical problem. > > Anyway: if another line of defense is added (and that's how I understand Maciej's proposal), is there still a point to insist on the exact Status-Phrase? According to a security expert I asked, the strongest defense against cross-protocol attacks is in the first few bytes. So I think removing all requirements on the status-phrase would make the protocol less robust against cross-protocol attacks. Regards, Maciej
- Re: [hybi] Fwd: Web sockets and existing HTTP sta… Jamie Lokier
- Re: [hybi] Fwd: Web sockets and existing HTTP sta… Greg Wilkins
- [hybi] Fwd: Web sockets and existing HTTP stacks Christian Biesinger
- Re: [hybi] Fwd: Web sockets and existing HTTP sta… Jamie Lokier
- Re: [hybi] Fwd: Web sockets and existing HTTP sta… Christian Biesinger
- Re: [hybi] Fwd: Web sockets and existing HTTP sta… Greg Wilkins
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Ian Hickson
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Alexey Proskuryakov
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Greg Wilkins
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Greg Wilkins
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Justin Erenkrantz
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Jamie Lokier
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Justin Erenkrantz
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Jamie Lokier
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Mark Nottingham
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Greg Wilkins
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Ian Hickson
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Greg Wilkins
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Pieter Hintjens
- Re: [hybi] Web sockets and existing HTTP stacks Ian Hickson
- Re: [hybi] Web sockets and existing HTTP stacks Justin Erenkrantz
- Re: [hybi] Web sockets and existing HTTP stacks Pieter Hintjens
- Re: [hybi] Web sockets and existing HTTP stacks Pieter Hintjens
- Re: [hybi] Web sockets and existing HTTP stacks L.Wood
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Justin Erenkrantz
- Re: [hybi] Web sockets and existing HTTP stacks SM
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Mark Nottingham
- Re: [hybi] Web sockets and existing HTTP stacks Pieter Hintjens
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Pieter Hintjens
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks SM
- Re: [hybi] Web sockets and existing HTTP stacks Greg Wilkins
- [hybi] Sentinel framing. was: Web sockets and exi… Greg Wilkins
- Re: [hybi] Web sockets and existing HTTP stacks Greg Wilkins
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Francis Brosnan Blazquez
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Greg Wilkins
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Julian Reschke
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Vladimir Katardjiev
- Re: [hybi] Web sockets and existing HTTP stacks Greg Wilkins
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak