Re: [hybi] workability (or otherwise) of HTTP upgrade
Zhong Yu <zhong.j.yu@gmail.com> Fri, 10 December 2010 01:45 UTC
Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F08CE28C11E for <hybi@core3.amsl.com>; Thu, 9 Dec 2010 17:45:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.363
X-Spam-Level:
X-Spam-Status: No, score=-3.363 tagged_above=-999 required=5 tests=[AWL=0.236, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJ5RY-SFHjnU for <hybi@core3.amsl.com>; Thu, 9 Dec 2010 17:45:24 -0800 (PST)
Received: from mail-ew0-f53.google.com (mail-ew0-f53.google.com [209.85.215.53]) by core3.amsl.com (Postfix) with ESMTP id 8704328C113 for <hybi@ietf.org>; Thu, 9 Dec 2010 17:45:23 -0800 (PST)
Received: by ewy6 with SMTP id 6so2291881ewy.40 for <hybi@ietf.org>; Thu, 09 Dec 2010 17:46:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=JqMLO9whsi/ShiSX5VXivVrekPnmctW8VWcIU4u5lY4=; b=QhYojeYnHl0KUPlFpTpJJrsIKgME8M381+xKKB+k7X9PWS5nIUh9hl8f2bbkyX24yj dKYPq5kRbfV8a0gqTkCbyvGdY/9vzyeWpEOm/c/A4DlBWhhvaYG05OVRchmahwrJnPhI 3fpIogeGdclMKtjvIVAHG4P+50pA8mK4bRu/8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=t/DtTPUCzfqwlaUFvQGDm+7TSlQKU48r65ovqBtHC8xT+md6Hfu2kLiunS/eAwN5TQ QyEfeTPjeISIWGTqpb3oJa9Lfye/gUi7Z6YTmkEkUYiIzZ1Xt759hGpvmlDuf+i/eVjN KmZKFzf6+R0XZtKviavIoymnMUOJa2cjbR3p4=
MIME-Version: 1.0
Received: by 10.213.17.16 with SMTP id q16mr62725eba.62.1291945613165; Thu, 09 Dec 2010 17:46:53 -0800 (PST)
Received: by 10.213.16.142 with HTTP; Thu, 9 Dec 2010 17:46:53 -0800 (PST)
In-Reply-To: <AANLkTi=ofWZxKT=7DYUSArQTqsePZECOix5fkySGjZAt@mail.gmail.com>
References: <BB947F6D-15AA-455D-B830-5E12C80C1ACD@mnot.net> <81870DB1-B177-4253-8233-52C4168BE99D@apple.com> <F4D1B715-3606-4E9A-BFB2-8B7BC11BE331@mnot.net> <57D4B885-B1D8-482F-8747-6460C0FFF166@apple.com> <37A00E8D-B55C-49AD-A85C-A299C80FFF17@mnot.net> <4F2580A7-79C2-4B0A-BCE5-7FB6D9AA0ED7@apple.com> <BB31C4AB95A70042A256109D461991260583956C@XCH117CNC.rim.net> <EA41A6C7-971C-4EC8-AA6F-96363B7FDC4C@gmail.com> <73E53F19-E0E7-4ADB-B765-ABAF0B4A6736@mnot.net> <r2f0g6d7bj770kg0db5ptr027ninmckns8@hive.bjoern.hoehrmann.de> <20C2FBB9-901F-4235-AF23-EC8262585905@mnot.net> <1291905941.2315.2113.camel@ds9.ducksong.com> <4D011146.3080906@caucho.com> <AANLkTi=CKU8H5A2f7rSGZ9h5mrp=NZW0yLB9O6=MDW5i@mail.gmail.com> <AANLkTimg774w-JVExm4YQJzuBv3gaJZOLMo5OymDsMiE@mail.gmail.com> <AANLkTik5ce7VkZrYW=Yp9ST0T1hmAfXYWXqoqfgtsdPh@mail.gmail.com> <AANLkTi=ofWZxKT=7DYUSArQTqsePZECOix5fkySGjZAt@mail.gmail.com>
Date: Thu, 09 Dec 2010 19:46:53 -0600
Message-ID: <AANLkTi=eQc-skps5QdoyMvz0_G53NapK-QK5JG9p+8He@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: John Tamplin <jat@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 01:45:25 -0000
On Thu, Dec 9, 2010 at 7:09 PM, John Tamplin <jat@google.com> wrote: > On Thu, Dec 9, 2010 at 7:52 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote: >> >> > The app can't send HTTP-only cookies, since it has no access to them. >> > One >> >> The *app* has access to everything that server allows it to. The >> client side code is all generated by server anyway, server can bundle >> any data to the client code. > > Not if you want to associate an HTTP-only cookie with the connection such > that hostile JS can't interfere with it. I don't get HTTP-only cookie. If hostile JS is running, it has access to everything that user has access to. It doesn't know the exact value of http-only cookie, or TCP seq number, but it doesn't care. (Allow me vent a little bit. HTTP-only cookie is a retarded invention. If an application uses HTTP-only cookie, it should be banned by browser, because it admits and advertises that it has no confidence what code is running - so browser shouldn't run it) > >> >> > Whatever cookies shortcomings, they are still being used and there is no >> > viable replacement so I don't think we should drop support for them in >> > WebSockets. >> >> Of course, HTTP cookies are still useful. That doesn't mean WS should >> inherit them. We are not preventing WebSocket applications from using >> HTTP cookies or making it difficult. >> >> Because WS is stateful, the server can simply associate user state >> with connection. It doesn't need to send user state back to client, >> then ask client to send it back. That mechanism makes sense for HTTP, >> but not WS. >> >> >> >> There is still a problem of associating multiple WS connections from >> the same user, but that is a much smaller problem than what cookies >> try to solve. > > How does it get that first association? What if there are separate tabs > open, with different credentials? How does it know which one from the same > origin goes with which HTTP session? Good questions, but answerable questions. Now think about all the questions we can raise against cookies, and whether they can be answered. > >> >> My real fear of cookies is from reading that blog >> http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html >> Whose head won't explode by just thinking all the new problems WS will >> add to the existing mess if it starts to interact with cookies? Of >> course, we can be likewise irresponsible, and just vaguely specify >> WS-cookie interaction, leaving many questions open. > > Existing applications use HTTP and cookies today, including Comet/etc > applications which WebSocket is intended to replace. Dropping cookie I don't think that's a right angel. Comet is a workaround at the absence of WS. It was forced to take the HTTP form, and the cookies come with it. It wasn't a conscious choice to include cookies with Comet. And we are not obligated to repeat it. > support from WebSocket only adds another barrier to converting those apps to > use WebSocket. > It seems to me that WebSocket should handle cookies exactly as an XHR > request does today, OK. But what exactly does an XHR request do with cookies today? That's the problem, it is severely underspecified. Should WS join the party, and do its part to increase the uncertainty? > which doesn't seem like it improves or makes worse any > of the issues with cookies. If you are arguing that the app should continue > to use cookies but just manage sending them itself, how does that change > anything over WebSocket sending the cookies, other than force independent > reinvention of the wheel? I imagine that because of the stateful nature of WS, needs of cookies will be greatly cut. Developer may have to transfer the value of one HTTP cookie to WS, but that's about it. I don't believe that's even slightly difficult to developers. They have no problems with Flash sockets interacting with HTTP cookies. I would much prefer a lean mean protocol that can be understood in full, and developer can build things on top of it with confidence, than a fat messy protocol that's very difficult to grasp and master - even to the protocol authors themselves.
- [hybi] workability (or otherwise) of HTTP upgrade Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Adam Barth
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Julian Reschke
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Julian Reschke
- Re: [hybi] workability (or otherwise) of HTTP upg… Jamie Lokier
- Re: [hybi] workability (or otherwise) of HTTP upg… William A. Rowe Jr.
- Re: [hybi] workability (or otherwise) of HTTP upg… William A. Rowe Jr.
- Re: [hybi] workability (or otherwise) of HTTP upg… Roy T. Fielding
- Re: [hybi] workability (or otherwise) of HTTP upg… Adam Barth
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Eric Rescorla
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Eric Rescorla
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Roy T. Fielding
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Adam Barth
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Adrien de Croy
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Dave Cridland
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Joe Mason
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… William A. Rowe Jr.
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Adam Barth
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Brian McKelvey
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Bjoern Hoehrmann
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Bjoern Hoehrmann
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Jack Moffitt
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Adrien de Croy
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Collin Jackson
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… SM
- Re: [hybi] workability (or otherwise) of HTTP upg… Pat McManus @Mozilla
- Re: [hybi] workability (or otherwise) of HTTP upg… Scott Ferguson
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Gabriel Montenegro
- Re: [hybi] workability (or otherwise) of HTTP upg… Simon Pieters
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Simon Pieters
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Bjoern Hoehrmann
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Bjoern Hoehrmann
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Martin J. Dürst
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Simon Pieters
- Re: [hybi] workability (or otherwise) of HTTP upg… James Graham
- Re: [hybi] workability (or otherwise) of HTTP upg… Michael
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu