Re: [hybi] Revised WebSocket Feedback
Takeshi Yoshino <tyoshino@google.com> Mon, 15 March 2010 09:31 UTC
Return-Path: <tyoshino@google.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7ED8E3A68DC for <hybi@core3.amsl.com>; Mon, 15 Mar 2010 02:31:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.776
X-Spam-Level:
X-Spam-Status: No, score=-102.776 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GPm8uJRvA3sm for <hybi@core3.amsl.com>; Mon, 15 Mar 2010 02:31:34 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id 37DBB3A6934 for <hybi@ietf.org>; Mon, 15 Mar 2010 02:30:54 -0700 (PDT)
Received: from kpbe11.cbf.corp.google.com (kpbe11.cbf.corp.google.com [172.25.105.75]) by smtp-out.google.com with ESMTP id o2F9UxU2027592 for <hybi@ietf.org>; Mon, 15 Mar 2010 09:31:00 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1268645460; bh=UGKjzXQg2niKGXtkKy5RkwHBouM=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=kIKLv1MU+gbDaNKICED6Vxr9wtOEMxaN4W8nnHGduZZFK05kOUl2ZGisCM4GUHChC 7p81wcf/Ll0UbJTi0Y2IQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=A/qLlKaIgROqDA6RDRqywwjLSk7FCM87mNVpkU7Uqrwx6IcjHM5dVbdGedHWYE1IE nxjgG8OE8J1WPEni8R+Ag==
Received: from gyg8 (gyg8.prod.google.com [10.243.50.136]) by kpbe11.cbf.corp.google.com with ESMTP id o2F9UwTp005276 for <hybi@ietf.org>; Mon, 15 Mar 2010 04:30:58 -0500
Received: by gyg8 with SMTP id 8so1726341gyg.33 for <hybi@ietf.org>; Mon, 15 Mar 2010 02:30:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.91.164.5 with SMTP id r5mr1975327ago.95.1268645458230; Mon, 15 Mar 2010 02:30:58 -0700 (PDT)
In-Reply-To: <B578CFED7FE85644A170F4F7C9D52692019544C5@ESESSCMS0361.eemea.ericsson.se>
References: <Acq+3K7V2larVGEjRiejqmwvDfLl8A==> <B578CFED7FE85644A170F4F7C9D52692019544C5@ESESSCMS0361.eemea.ericsson.se>
From: Takeshi Yoshino <tyoshino@google.com>
Date: Mon, 15 Mar 2010 18:30:38 +0900
Message-ID: <3d5f2a811003150230sdeb4f78hbdece96e5c742cfc@mail.gmail.com>
To: Vladimir Katardjiev <vladimir.katardjiev@ericsson.com>
Content-Type: multipart/alternative; boundary="0016e640d430e23ea00481d38951"
X-System-Of-Record: true
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Revised WebSocket Feedback
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2010 09:31:35 -0000
Hi, 2010/3/9 Vladimir Katardjiev <vladimir.katardjiev@ericsson.com> > Heya, > > So, after some implementation work it's time to channel some responses. > > First, a copy/paste error. Page 31 seems to be missing Sec-WebSocket-Key2. > > Same page, you probably meant | instead of " in > > (such as |Cookie") > > Also, this might be just my reading comprehension, but the following > paragraph caused a double-take > > if a server assumes that its clients are authorized > on the basis that they can connect [...] then the server > should also verify that the client's handshake includes the > invariant "Upgrade" and "Connection" parts of the handshake, and > should send the server's handshake before changing any user data. > > Checking Upgrade and Connection is redundant if Sec-WebSocket-* are present > from a browser PoV;that was the point of them, no? Furthermore, it is not > evident that by /sending/ a reply you're preventing cross-protocol attacks. > I guess you meant by reading the client's handshake (which just happens to > be a part of the "sending reply" section). > > Right, time to graduate from reading comprehension into actual questions. > The big addition obviously Sec-WebSocket-Key1/2. Are there any fundamental > limitations on where spaces can and should occur in the header? According to > my interpretation as it stands, the following string is a perfectly valid > key: " 4abcd". Is this intended? And, if so, can the leading (or > trailing, if so inclined) spaces cause issues when parsing by > proxies/existing stacks? > > E.g. when /number_1/ is set to 0, /key_1/ will be "0" regardless of /spaces_1/. Then, in step 21, we have to insert /spaces_1/ spaces into this string with a length of 1. This is problematic since the only possible positions for the first insertion are the head and tail of the target string. I agree that we should avoid putting spaces on the tail or the head (at least putting a space for this algorithm on the head must be prohibited). How about swapping step 21 and 22? > Also, I must've missed the big discussion, but what's the rationale of > having two key headers. One I can buy, but since it should already be > impossible to create a Sec-* header from a browser, AND it is impossible to > add spaces to the header value, AND it is a GET with a body, it's already > triple impossible (impossibler? impossiblest?) for XHR/CORS to forge. If > someone has a handy link to where this suggestion was born it'd be > appreciated, because this seems like quite a bit of computation involved. > > The junk characters in the handshake also seem redundant. If you already > need to verify the correct number of spaces this means you are checking for > spaces already. As for the garbage characters, all they made me do was > replace("[^0-9]", '') instead of replace(' ', '') so I'd say they didn't > alter the functionality of my code other than take up more CPU cycles. > > The closing handshake is also interesting. Maybe state in 5.3. that the > server shouldn't disconnect on 0xFF (instead of may; it still may, but is > discouraged from doing so since it may cause data loss. If the target > audience really is the kind of programmer you need to verify their code by > actually ensuring they read the spaces, then make the default level of the > protocol ensure data integrity, because that's what they'll see in the lab > network). > > Finally, and probably my smallest serious gripe, but what's up with the mix > of references to ASCII and UTF-8 as characters. It is all technically > correct, to nobody's surprise, but it's distracting to read. I hope it's > just a transitional thing and it'll eventually be UTF-8 throughout but it > was just too boring to do it all at once. > > Cheers, > Vladimir > > PS, some notes that border on the psychopathic crazy programmer in a dark > dungeon mindset. These can be safely ignored. > > Page 20: EXAMPLE: For example > > Acknowledgement: OK! > > Page 22: -> If the byte is 0x3A (ASCII :) > > The internet has damaged me so badly this was a smiley face. > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi >
- [hybi] Revised WebSocket Feedback Vladimir Katardjiev
- Re: [hybi] Revised WebSocket Feedback Takeshi Yoshino
- Re: [hybi] Revised WebSocket Feedback Fumitoshi Ukai (鵜飼文敏)
- Re: [hybi] Revised WebSocket Feedback Takeshi Yoshino
- [hybi] WebSockets feedback Ian Hickson
- Re: [hybi] WebSockets feedback Pieter Hintjens
- Re: [hybi] WebSockets feedback Greg Wilkins
- [hybi] email granularity, was: WebSockets feedback Julian Reschke
- Re: [hybi] email granularity, was: WebSockets fee… Pieter Hintjens
- Re: [hybi] email granularity, was: WebSockets fee… Anne van Kesteren
- Re: [hybi] email granularity, was: WebSockets fee… Ian Hickson
- Re: [hybi] email granularity, was: WebSockets fee… Julian Reschke
- Re: [hybi] email granularity, was: WebSockets fee… Michael Carter
- Re: [hybi] email granularity, was: WebSockets fee… Justin Erenkrantz
- Re: [hybi] email granularity, was: WebSockets fee… Greg Wilkins
- Re: [hybi] email granularity, was: WebSockets fee… Julian Reschke
- Re: [hybi] email granularity, was: WebSockets fee… SM
- Re: [hybi] email granularity, was: WebSockets fee… Greg Wilkins
- Re: [hybi] email granularity, was: WebSockets fee… Tim Bray
- Re: [hybi] email granularity, was: WebSockets fee… Pieter Hintjens
- Re: [hybi] email granularity, was: WebSockets fee… SM
- Re: [hybi] email granularity, was: WebSockets fee… Ian Hickson
- Re: [hybi] email granularity, was: WebSockets fee… Maciej Stachowiak
- Re: [hybi] email granularity, was: WebSockets fee… Pieter Hintjens
- Re: [hybi] email granularity, was: WebSockets fee… Greg Wilkins
- Re: [hybi] email granularity, was: WebSockets fee… L.Wood