IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

"Simon Pieters" <simonp@opera.com> Tue, 28 September 2010 09:36 UTC

Return-Path: <simonp@opera.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 979BE3A6C32 for <hybi@core3.amsl.com>; Tue, 28 Sep 2010 02:36:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4QhWKPdIzPh for <hybi@core3.amsl.com>; Tue, 28 Sep 2010 02:36:40 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 697F53A6C31 for <hybi@ietf.org>; Tue, 28 Sep 2010 02:36:40 -0700 (PDT)
Received: from simon-pieterss-macbook.local (sgw-oslo2.opera.com [213.236.208.46]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o8S9ae4N017114 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 28 Sep 2010 09:36:41 GMT
Content-Type: text/plain; charset="utf-8"; format="flowed"; delsp="yes"
To: Maciej Stachowiak <mjs@apple.com>, Willy Tarreau <w@1wt.eu>
References: <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <4CA0D0D2.4040006@caucho.com> <AANLkTinACqm-GxUPhvFMf6_sGfeJofwy1r=28o=vgM43@mail.gmail.com> <4CA12810.8020006@caucho.com> <AANLkTimrMfXrnVMjU3f57L_sO7usyYQ56rBM4aMb2Pfr@mail.gmail.com> <20100928052501.GD12373@1wt.eu> <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com> <20100928053255.GE12373@1wt.eu>
Date: Tue, 28 Sep 2010 11:36:39 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: Simon Pieters <simonp@opera.com>
Message-ID: <op.vjqkzdflidj3kv@simon-pieterss-macbook.local>
In-Reply-To: <20100928053255.GE12373@1wt.eu>
User-Agent: Opera Mail/10.62 (MacIntel)
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2010 09:36:41 -0000

On Tue, 28 Sep 2010 07:32:55 +0200, Willy Tarreau <w@1wt.eu> wrote:

> On Mon, Sep 27, 2010 at 10:28:31PM -0700, Maciej Stachowiak wrote:
>> > I really think that if we can get a clean WS-based handshake, we can
>> > get rid of the Sec-* headers, as the WS handshake will validate a much
>> > more serious part of the protocol than the HTTP headers with their
>> > tricks.
>>
>> If we go with an HTTP-based handshake at all, we have to keep something  
>> in the original HTTP request that browser-hosted HTTP clients are  
>> assumed unable to send. Otherwise we'll significantly increase the risk  
>> of HTTP-vs-WebSocket cross-protocol attacks.
>
> The client is as much unable to send "Upgrade: Websocket" as it is to
> send "Sec-*".

But WebSocket servers are not forced to read the Upgrade header in order  
to produce a correct response, which means that some servers won't.


> Either the client code controls all headers or it controls
> none.

No. XMLHttpRequest can set arbitrary headers, but cannot set headers  
starting with "Sec-" (as it happens it also can't set the Upgrade header).

-- 
Simon Pieters
Opera Software

v2.23.0 | Report a Bug | By Email