IETF Logo Mail Archive

Re: [hybi] Redesigning the Web Socket handshake

Ian Hickson <ian@hixie.ch> Tue, 02 February 2010 03:14 UTC

Return-Path: <ian@hixie.ch>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 248F028C0D6 for <hybi@core3.amsl.com>; Mon, 1 Feb 2010 19:14:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.427
X-Spam-Level:
X-Spam-Status: No, score=-2.427 tagged_above=-999 required=5 tests=[AWL=0.171, BAYES_00=-2.599, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MhO+wI3as6kF for <hybi@core3.amsl.com>; Mon, 1 Feb 2010 19:14:36 -0800 (PST)
Received: from looneymail-a2.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by core3.amsl.com (Postfix) with ESMTP id 2DBD03A68BB for <hybi@ietf.org>; Mon, 1 Feb 2010 19:14:36 -0800 (PST)
Received: from ps20323.dreamhostps.com (ps20323.dreamhost.com [69.163.222.251]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by looneymail-a2.g.dreamhost.com (Postfix) with ESMTP id EA34516D407; Mon, 1 Feb 2010 19:15:12 -0800 (PST)
Date: Tue, 02 Feb 2010 03:15:11 +0000
From: Ian Hickson <ian@hixie.ch>
To: Greg Wilkins <gregw@webtide.com>
In-Reply-To: <4B676E8C.70804@webtide.com>
Message-ID: <Pine.LNX.4.64.1002020311030.3846@ps20323.dreamhostps.com>
References: <Pine.LNX.4.64.1002012305000.21600@ps20323.dreamhostps.com> <4B676E8C.70804@webtide.com>
Content-Language: en-GB-hixie
Content-Style-Type: text/css
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: hybi@ietf.org
Subject: Re: [hybi] Redesigning the Web Socket handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2010 03:14:37 -0000

On Tue, 2 Feb 2010, Greg Wilkins wrote:
> 
> I think you've left out the main suggestion that's been made on this 
> list.
> 
> Leave the handshake more or less as it is, but specify it as a real HTTP 
> request and real HTTP response, rather than a binary almost-equivalent.  

That's basically a non-starter, IMHO. The HTTP rules are orders of 
magnitude more complicated than necessary here. Given the goal of making 
this trivially implementable, we can't require that servers implement 
every last detail of the HTTP rules.


> The immediate benefits of this change are:
> 
>  + that it allows the handshake to work with existing HTTP servers and
>    intermediaries.
> 
>  + No need to explicitly specify behaviour such as HttpOnly cookies.
>    that behaviour is inherited from the HTTP specs.
> 
>  + If HTTP/1.2 or HTTP/2.0 ever come out, then websocket will
>    continue to work with new servers as the binary response
>    line will not need to be changed.

We can handle all three of these points without going anywhere _near_ the 
full HTTP rules with all their complications.


> It would allow some simple extensions.

Extensions should be done by changes to the spec, no need for the whole 
HTTP ruleset. Even with the current strict rules it's easy to extend the 
spec in the future.


> For example redirection could be supported with a 302 response.  For 
> example is the server responded with
> 
>    HTTP/1.1 302 Found
>    Location: ws://foo.com:81

The spec actually has redirect support already, but it is commented out 
because it introduces a number of security problems. In practice it's 
unnecessary; just do the redirect at the subprotocol level if you need it.


> then the ws client could open port 81 and immediately start talking 
> websocket without any handshake at all (because of the ws://).

That would be a pretty big security hole!

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

v2.29.0 | Report a Bug | By Email | System Status