Re: [hybi] WebSockets
"Roy T. Fielding" <fielding@gbiv.com> Tue, 31 March 2009 02:56 UTC
Return-Path: <fielding@gbiv.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8715B3A6954 for <hybi@core3.amsl.com>; Mon, 30 Mar 2009 19:56:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.439
X-Spam-Level:
X-Spam-Status: No, score=-5.439 tagged_above=-999 required=5 tests=[AWL=-3.440, BAYES_00=-2.599, J_CHICKENPOX_65=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sBqB19oz9J3R for <hybi@core3.amsl.com>; Mon, 30 Mar 2009 19:56:32 -0700 (PDT)
Received: from spaceymail-a5.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by core3.amsl.com (Postfix) with ESMTP id B58A03A68BB for <hybi@ietf.org>; Mon, 30 Mar 2009 19:56:32 -0700 (PDT)
Received: from [10.2.8.56] (wsip-70-183-62-251.oc.oc.cox.net [70.183.62.251]) by spaceymail-a5.g.dreamhost.com (Postfix) with ESMTP id 154968709C; Mon, 30 Mar 2009 19:57:31 -0700 (PDT)
In-Reply-To: <Pine.LNX.4.62.0903310201130.25058@hixie.dreamhostps.com>
References: <Pine.LNX.4.62.0903302124580.25058@hixie.dreamhostps.com> <BBB4A96C-6101-43C5-AF62-2E242EE64B31@gbiv.com> <Pine.LNX.4.62.0903310201130.25058@hixie.dreamhostps.com>
Mime-Version: 1.0 (Apple Message framework v753.1)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <7B624611-7368-4B5F-B043-C0D96C94E359@gbiv.com>
Content-Transfer-Encoding: 7bit
From: "Roy T. Fielding" <fielding@gbiv.com>
Date: Mon, 30 Mar 2009 19:57:30 -0700
To: Ian Hickson <ian@hixie.ch>
X-Mailer: Apple Mail (2.753.1)
Cc: hybi@ietf.org
Subject: Re: [hybi] WebSockets
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2009 02:56:33 -0000
On Mar 30, 2009, at 7:12 PM, Ian Hickson wrote: > On Mon, 30 Mar 2009, Roy T. Fielding wrote: >> >> It would be nice to have a list of use cases for why anyone would >> want a >> Web page (as opposed to an installed client or client extension) to >> provide two-way communication, > > Some sample use cases: > > * GMail's built-in IM client > * Collaborative editing as seen in tools like Google Apps > * Multiplayer games > * Pages that monitor services, e.g. a wifi router's status page, > showing > up-to-date information about signal:noise ratios, etc. > > Personally the reason I want a WebSocket-like mechanism is so that > I can > make my Web-based model railway control panel quicker. Right now every > time I click anything it has to do a round-trip TCP connection to > the Web > server to tell it to tell the computer running the trains to > perform the > action, whereas what I really want is for the Web page to just have a > direct connection to that computer. This would also allow the train > controlling computer to give immediate feedback instead of having to > tunnel messages back through a long-lived CGI script returning drip- > fed > <script> blocks to an <iframe> over a long-lived HTTP connection. Thanks. Perhaps we should start a wiki somewhere to list the use cases and then a protocol comparison table to see what use cases are satisfied by each protocol. >> and also why that two-way communication must be tunneled over the Web >> ports in a way that deliberately intends to fool security-enforcing >> intermediaries into thinking it is HTTP. > > For my use case (the trains) I'm fine with not doing any tunneling, > however it turns out that a lot of sites block all but port 80 and > port > 443 and yet people still want to use their IM clients. Right now Web > applications like GMail are tunneling through ports 80 and 443 by > abusing > HTTP; I think it would be much better to have them Upgrade to another > protocol and leave HTTP for REST-like purposes. A lot of offices put locks on the door and only give keys to their employees and trusted contractors. That is inconvenient for a reason. > Note that the way WebSocket is designed, there's no deliberate > fooling; > it's a straight up HTTP Upgrade attempt. Not quite. You can't place constraints on specific ordering of bytes within WebSocket and then claim it is HTTP, because HTTP allows (and sometimes requires) intermediaries to change or reorder those same bytes in specific situations. I don't buy the argument regarding ease of implementation because it simply isn't robust to parse a line-delimited protocol as if it were a fixed structure, again because of the presence of those intermediaries over which you have no control. Upgrade was specifically designed for this purpose and can just as easily be implemented with a standard HTTP/1.1 OPTIONS or CONNECT request. The good thing is that, by initiating the connection with an HTTP request to the same-origin server by hostname, WebSocket doesn't suffer quite as much from the shared-IP security holes that are present in web-based software that uses raw sockets. However, it could still be used to trigger arbitrary requests by intercept proxies that don't understand that the connection has been upgraded. A more secure design would require the use of CONNECT and then forcibly encode the stream such that it can't be misinterpreted. Alternatively, just use a different port and let the organizations decide whether they want to allow such connections through their own firewalls. ....Roy
- [hybi] WebSockets Ian Hickson
- Re: [hybi] WebSockets Peter Keane
- Re: [hybi] WebSockets Edward Z. Yang
- Re: [hybi] WebSockets Ian Hickson
- Re: [hybi] WebSockets Roy T. Fielding
- Re: [hybi] WebSockets Peter Saint-Andre
- Re: [hybi] WebSockets Ian Hickson
- Re: [hybi] WebSockets Roy T. Fielding
- Re: [hybi] WebSockets Ian Hickson
- Re: [hybi] WebSockets Roy T. Fielding
- Re: [hybi] WebSockets Ian Hickson
- Re: [hybi] WebSockets Sylvain Hellegouarch