IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

Zhong Yu <zhong.j.yu@gmail.com> Fri, 10 December 2010 01:45 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F08CE28C11E for <hybi@core3.amsl.com>; Thu, 9 Dec 2010 17:45:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.363
X-Spam-Level:
X-Spam-Status: No, score=-3.363 tagged_above=-999 required=5 tests=[AWL=0.236, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJ5RY-SFHjnU for <hybi@core3.amsl.com>; Thu, 9 Dec 2010 17:45:24 -0800 (PST)
Received: from mail-ew0-f53.google.com (mail-ew0-f53.google.com [209.85.215.53]) by core3.amsl.com (Postfix) with ESMTP id 8704328C113 for <hybi@ietf.org>; Thu, 9 Dec 2010 17:45:23 -0800 (PST)
Received: by ewy6 with SMTP id 6so2291881ewy.40 for <hybi@ietf.org>; Thu, 09 Dec 2010 17:46:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=JqMLO9whsi/ShiSX5VXivVrekPnmctW8VWcIU4u5lY4=; b=QhYojeYnHl0KUPlFpTpJJrsIKgME8M381+xKKB+k7X9PWS5nIUh9hl8f2bbkyX24yj dKYPq5kRbfV8a0gqTkCbyvGdY/9vzyeWpEOm/c/A4DlBWhhvaYG05OVRchmahwrJnPhI 3fpIogeGdclMKtjvIVAHG4P+50pA8mK4bRu/8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=t/DtTPUCzfqwlaUFvQGDm+7TSlQKU48r65ovqBtHC8xT+md6Hfu2kLiunS/eAwN5TQ QyEfeTPjeISIWGTqpb3oJa9Lfye/gUi7Z6YTmkEkUYiIzZ1Xt759hGpvmlDuf+i/eVjN KmZKFzf6+R0XZtKviavIoymnMUOJa2cjbR3p4=
MIME-Version: 1.0
Received: by 10.213.17.16 with SMTP id q16mr62725eba.62.1291945613165; Thu, 09 Dec 2010 17:46:53 -0800 (PST)
Received: by 10.213.16.142 with HTTP; Thu, 9 Dec 2010 17:46:53 -0800 (PST)
In-Reply-To: <AANLkTi=ofWZxKT=7DYUSArQTqsePZECOix5fkySGjZAt@mail.gmail.com>
References: <BB947F6D-15AA-455D-B830-5E12C80C1ACD@mnot.net> <81870DB1-B177-4253-8233-52C4168BE99D@apple.com> <F4D1B715-3606-4E9A-BFB2-8B7BC11BE331@mnot.net> <57D4B885-B1D8-482F-8747-6460C0FFF166@apple.com> <37A00E8D-B55C-49AD-A85C-A299C80FFF17@mnot.net> <4F2580A7-79C2-4B0A-BCE5-7FB6D9AA0ED7@apple.com> <BB31C4AB95A70042A256109D461991260583956C@XCH117CNC.rim.net> <EA41A6C7-971C-4EC8-AA6F-96363B7FDC4C@gmail.com> <73E53F19-E0E7-4ADB-B765-ABAF0B4A6736@mnot.net> <r2f0g6d7bj770kg0db5ptr027ninmckns8@hive.bjoern.hoehrmann.de> <20C2FBB9-901F-4235-AF23-EC8262585905@mnot.net> <1291905941.2315.2113.camel@ds9.ducksong.com> <4D011146.3080906@caucho.com> <AANLkTi=CKU8H5A2f7rSGZ9h5mrp=NZW0yLB9O6=MDW5i@mail.gmail.com> <AANLkTimg774w-JVExm4YQJzuBv3gaJZOLMo5OymDsMiE@mail.gmail.com> <AANLkTik5ce7VkZrYW=Yp9ST0T1hmAfXYWXqoqfgtsdPh@mail.gmail.com> <AANLkTi=ofWZxKT=7DYUSArQTqsePZECOix5fkySGjZAt@mail.gmail.com>
Date: Thu, 09 Dec 2010 19:46:53 -0600
Message-ID: <AANLkTi=eQc-skps5QdoyMvz0_G53NapK-QK5JG9p+8He@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: John Tamplin <jat@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 01:45:25 -0000

On Thu, Dec 9, 2010 at 7:09 PM, John Tamplin <jat@google.com> wrote:
> On Thu, Dec 9, 2010 at 7:52 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
>>
>> > The app can't send HTTP-only cookies, since it has no access to them.
>> >  One
>>
>> The *app* has access to everything that server allows it to. The
>> client side code is all generated by server anyway, server can bundle
>> any data to the client code.
>
> Not if you want to associate an HTTP-only cookie with the connection such
> that hostile JS can't interfere with it.

I don't get HTTP-only cookie. If hostile JS is running, it has access
to everything that user has access to. It doesn't know the exact value
of http-only cookie, or TCP seq number, but it doesn't care.

(Allow me vent a little bit. HTTP-only cookie is a retarded invention.
If an application uses HTTP-only cookie, it should be banned by
browser, because it admits and advertises that it has no confidence
what code is running - so browser shouldn't run it)

>
>>
>> > Whatever cookies shortcomings, they are still being used and there is no
>> > viable replacement so I don't think we should drop support for them in
>> > WebSockets.
>>
>> Of course, HTTP cookies are still useful. That doesn't mean WS should
>> inherit them. We are not preventing WebSocket applications from using
>> HTTP cookies or making it difficult.
>>
>> Because WS is stateful, the server can simply associate user state
>> with connection. It doesn't need to send user state back to client,
>> then ask client to send it back. That mechanism makes sense for HTTP,
>> but not WS.
>>
>>
>>
>> There is still a problem of associating multiple WS connections from
>> the same user, but that is a much smaller problem than what cookies
>> try to solve.
>
> How does it get that first association?  What if there are separate tabs
> open, with different credentials?  How does it know which one from the same
> origin goes with which HTTP session?

Good questions, but answerable questions. Now think about all the
questions we can raise against cookies, and whether they can be
answered.

>
>>
>> My real fear of cookies is from reading that blog
>> http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html
>> Whose head won't explode by just thinking all the new problems WS will
>> add to the existing mess if it starts to interact with cookies? Of
>> course, we can be likewise irresponsible, and just vaguely specify
>> WS-cookie interaction, leaving many questions open.
>
> Existing applications use HTTP and cookies today, including Comet/etc
> applications which WebSocket is intended to replace.  Dropping cookie

I don't think that's a right angel. Comet is a workaround at the
absence of WS. It was forced to take the HTTP form, and the cookies
come with it. It wasn't a conscious choice to include cookies with
Comet. And we are not obligated to repeat it.

> support from WebSocket only adds another barrier to converting those apps to
> use WebSocket.
> It seems to me that WebSocket should handle cookies exactly as an XHR
> request does today,

OK. But what exactly does an XHR request do with cookies today? That's
the problem, it is severely underspecified. Should WS join the party,
and do its part to increase the uncertainty?

> which doesn't seem like it improves or makes worse any
> of the issues with cookies.  If you are arguing that the app should continue
> to use cookies but just manage sending them itself, how does that change
> anything over WebSocket sending the cookies, other than force independent
> reinvention of the wheel?

I imagine that because of the stateful nature of WS, needs of cookies
will be greatly cut. Developer may have to transfer the value of one
HTTP cookie to WS, but that's about it. I don't believe that's even
slightly difficult to developers. They have no problems with Flash
sockets interacting with HTTP cookies.

I would much prefer a lean mean protocol that can be understood in
full, and developer can build things on top of it with confidence,
than a fat messy protocol that's very difficult to grasp and master -
even to the protocol authors themselves.

v2.23.0 | Report a Bug | By Email