[hybi] [Technical Errata Reported] RFC6455 (7262)
RFC Errata System <rfc-editor@rfc-editor.org> Fri, 09 December 2022 13:55 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51A7AC15170C for <hybi@ietfa.amsl.com>; Fri, 9 Dec 2022 05:55:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.646
X-Spam-Level:
X-Spam-Status: No, score=-1.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id itBNSRfgX9BA for <hybi@ietfa.amsl.com>; Fri, 9 Dec 2022 05:55:18 -0800 (PST)
Received: from rfcpa.amsl.com (rfc-editor.org [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8353DC15170F for <hybi@ietf.org>; Fri, 9 Dec 2022 05:55:18 -0800 (PST)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 3B79B55D24; Fri, 9 Dec 2022 05:55:18 -0800 (PST)
To: ifette+ietf@google.com, Alexey.Melnikov@isode.com, superuser@gmail.com, francesca.palombini@ericsson.com, Salvatore.Loreto@ericsson.com, Gabriel.Montenegro@microsoft.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: demi.yoosefi@gmail.com, hybi@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20221209135518.3B79B55D24@rfcpa.amsl.com>
Date: Fri, 09 Dec 2022 05:55:18 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/hybi/Sm9JZCqLrkNORpBA0nnRgJKEQhc>
Subject: [hybi] [Technical Errata Reported] RFC6455 (7262)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hybi/>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2022 13:55:22 -0000
The following errata report has been submitted for RFC6455, "The WebSocket Protocol". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid7262 -------------------------------------- Type: Technical Reported by: Demi Y <demi.yoosefi@gmail.com> Section: 5.5.1 Original Text ------------- Following the 2-byte integer, the body MAY contain UTF-8-encoded data with value /reason/, the interpretation of which is not defined by this specification. This data is not necessarily human readable but may be useful for debugging or passing information relevant to the script that opened the connection. As the data is not guaranteed to be human readable, clients MUST NOT show it to end users. Corrected Text -------------- > Following the 2-byte integer, the body MAY contain data which MUST be UTF-8-encoded with value /reason/, the interpretation of which is not defined by this specification. > As the interpretation is not defined here, clients MAY show it to end users. ----- OR ----- > Following the 2-byte integer, the body MAY contain arbitrary data, the interpretation of which is not defined by this specification. > As the interpretation is not defined here, clients MAY hide it from end users. Notes ----- The RFC is unclear on whether or not close-frames can contain binary data for the /reason/. In section 5.2, "Application data" is defined as "arbitrary". Section 5.5.1 also says about the /reason/: > This data is not necessarily human readable ... > As the data is not guaranteed to be human readable ... Ok, but what if it is? As per RFC 2119, The "MUST NOT show it to end users" here is not a mere suggestion. It implies some sort of inherent danger or contract breaking that would occur if the data were "shown" (undefined term), as if passing along UTF-8 text in a controlled manner could cause harm to their application. Due to the "MUST NOT", the "MAY contain UTF-8-encoded data" here is ambiguous. It implies it could be something other than UTF-8, like binary data, which would be unsafe to blindly "show" to the "end user" (undefined term). There is no clear reason as to why it (emphatically) "MUST NOT" be shown to "end users". Who is the client and who is the "end user"? This is the only occurrence of "end user" in the RFC. Is the "client" the browser, and the "end user" the developer trying to debug their application, but "MUST NOT" see close /reason/s? In practice, the close reason is of course exposed by browsers. But then is the end user the non-developer who triggers an unexpected error on the server, and has no way to report a bug since the server's error /reason/ MUST NOT be shown to them? Why MUSTN'T it be shown? Is it because it MAY contain binary data? Clarification is needed on whether or not the /reason/ can contain arbitrary binary data. And the imperative restriction on what the undefined "end user" can be "shown" should be loosened. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6455 (draft-ietf-hybi-thewebsocketprotocol-17) -------------------------------------- Title : The WebSocket Protocol Publication Date : December 2011 Author(s) : I. Fette, A. Melnikov Category : PROPOSED STANDARD Source : BiDirectional or Server-Initiated HTTP APP Area : Applications Stream : IETF Verifying Party : IESG
- [hybi] [Technical Errata Reported] RFC6455 (7262) RFC Errata System