IETF Logo Mail Archive

Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?

Rob Sayre <rsayre@mozilla.com> Thu, 28 January 2010 23:10 UTC

Return-Path: <rsayre@mozilla.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 55F5E3A696E for <hybi@core3.amsl.com>; Thu, 28 Jan 2010 15:10:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xk7xHriJF5iU for <hybi@core3.amsl.com>; Thu, 28 Jan 2010 15:10:39 -0800 (PST)
Received: from dm-mail03.mozilla.org (dm-mail03.mozilla.org [63.245.208.213]) by core3.amsl.com (Postfix) with ESMTP id 8344E3A68BD for <hybi@ietf.org>; Thu, 28 Jan 2010 15:10:39 -0800 (PST)
Received: from sayrer.local (guest-224.mv.mozilla.com [63.245.220.224]) (Authenticated sender: rsayre@mozilla.com) by dm-mail03.mozilla.org (Postfix) with ESMTP id 680774AFE5A for <hybi@ietf.org>; Thu, 28 Jan 2010 15:10:49 -0800 (PST)
Message-ID: <4B621978.8070700@mozilla.com>
Date: Thu, 28 Jan 2010 15:10:48 -0800
From: Rob Sayre <rsayre@mozilla.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: hybi@ietf.org
References: <de17d48e1001280012i2657b587i83cda30f50013e6b@mail.gmail.com> <4B614CEC.2050400@ericsson.com> <Pine.LNX.4.64.1001280856380.22020@ps20323.dreamhostps.com> <4B616F17.4030402@ericsson.com> <4B619223.60408@webtide.com> <Pine.LNX.4.64.1001282141080.22020@ps20323.dreamhostps.com> <4B620B8F.6030706@gmx.de> <Pine.LNX.4.64.1001282217320.22053@ps20323.dreamhostps.com> <bbeaa26f1001281449q1a6e1813q3f537fe15a5a9d60@mail.gmail.com> <10CFF7AB-9954-4876-B4D9-4E7C4E040045@apple.com>
In-Reply-To: <10CFF7AB-9954-4876-B4D9-4E7C4E040045@apple.com>
Content-Type: multipart/alternative; boundary="------------070205030400000202060005"
Subject: Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2010 23:10:44 -0000

Also interested in moving the technology forward, not so much in 
debating the politics.

On 1/28/10 2:55 PM, Maciej Stachowiak wrote:
>
> +1
>
> We at Apple are interested in moving the technology forward, not so 
> much in debating the politics. Can we at least keep procedural mattes 
> out of threads about technical questions?
>
>  - Maciej
>
> On Jan 28, 2010, at 2:49 PM, Ian Fette (イアンフェッティ) wrote:
>
>> So, moving back to the original question... I am very concerned here. 
>> A relatively straightforward question was asked, with rationale for 
>> the question. "May/Should WebSocket use HttpOnly cookie while 
>> Handshaking?
>> I think it would be useful to use HttpOnly cookie on WebSocket so 
>> that we could authenticate the WebSocket connection by the auth token 
>> cookie which might be HttpOnly for security reason."
>>
>> It seems reasonable to assume that Web Sockets will be used in an 
>> environment where users are authenticated, and that in many cases the 
>> Web Socket will be established once the user has logged into a page 
>> via HTTP/HTTPS. It seems furthermore reasonable to assume that a 
>> server may track the logged-in-ness of the client using a HttpOnly 
>> cookie, and that the server-side logic to check whether a user is 
>> already logged in could easily be leveraged for Web Sockets, since it 
>> starts as an HTTP connection that includes cookies and is then 
>> upgraded. It seems like a very straightforward thing to say "Yes, it 
>> makes sense to send the HttpOnly cookie for Web Socket connections".
>>
>> Instead, we are bogged down in politics.
>>
>> How are we to move forward on this spec? We have multiple server 
>> implementations, there are multiple client implementations, if a 
>> simple question like this gets bogged down in discussions of WHATWG 
>> vs IETF we are never going to get anywhere. Clearly there are people 
>> on both groups who have experience in the area and valuable 
>> contributions to add, so how do we move forward? Simply telling the 
>> folks on WHATWG that they've handed the spec off to IETF is **NOT** 
>> in line with what I recall at the IETF, where I recall agreeing to 
>> the two WGs working in concert with each other. What we have before 
>> us is a very trivial question (IMO) that should receive a quick 
>> response. Can we use this as a proof of concept that the two groups 
>> can work together? If so, what are the concrete steps?
>>
>> If we can't figure out how to move forward on such a simple issue, it 
>> seems to me that we are in an unworkable situation, and should 
>> probably just continue the work in WHATWG through to a final spec, 
>> let implementations settle for a while, and then hand it off to IETF 
>> for refinement and finalization in a v2 spec... (my $0.02)
>>
>> -Ian
>>
>> 2010/1/28 Ian Hickson <ian@hixie.ch <mailto:ian@hixie.ch>>
>>
>>     On Thu, 28 Jan 2010, Julian Reschke wrote:
>>     > Ian Hickson wrote:
>>     > > ...
>>     > > > The WHATWG submitted the document to the IETF
>>     > >
>>     > > I don't think that's an accurate portrayal of anything that
>>     has occurred,
>>     > > unless you mean the way my commit script uploads any changes
>>     to the draft to
>>     > > the tools.ietf.org <http://tools.ietf.org/> scripts. That
>>     same script also submits the varous
>>     > > documents generated from that same source document to the W3C
>>     and WHATWG
>>     > > source version control repositories.
>>     > > ...
>>     >
>>     > By submitting an Internet Draft according to BCP 78 you grant
>>     the IETF certain
>>     > rights; it's not relevant whether it was a script or yourself
>>     using a browser
>>     > or a MUA who posted it.
>>     >
>>     > You may want to check
>>     <http://tools.ietf.org/html/bcp78#section-5.3>.
>>
>>     With the exception of the trademark rights, which I don't have and
>>     therefore cannot grant, the rights listed there are a subset of
>>     the rights
>>     the IETF was already granted by virtue of the WHATWG publishing
>>     the spec
>>     under a very liberal license. So that doesn't appear to be relevant.
>>
>>     --
>>     Ian Hickson               U+1047E              
>>      )\._.,--....,'``.    fL
>>     http://ln.hixie.ch/       U+263A                /,   _.. \   _\
>>      ;`._ ,.
>>     Things that are impossible just take longer.  
>>     `._.-(,_..'--(,_..'`-.;.'
>>     _______________________________________________
>>     hybi mailing list
>>     hybi@ietf.org <mailto:hybi@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/hybi
>>
>>
>> _______________________________________________
>> hybi mailing list
>> hybi@ietf.org <mailto:hybi@ietf.org>
>> https://www.ietf.org/mailman/listinfo/hybi
>
>
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>

v2.23.0 | Report a Bug | By Email