Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?
Rob Sayre <rsayre@mozilla.com> Thu, 28 January 2010 23:10 UTC
Return-Path: <rsayre@mozilla.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 55F5E3A696E for <hybi@core3.amsl.com>; Thu, 28 Jan 2010 15:10:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xk7xHriJF5iU for <hybi@core3.amsl.com>; Thu, 28 Jan 2010 15:10:39 -0800 (PST)
Received: from dm-mail03.mozilla.org (dm-mail03.mozilla.org [63.245.208.213]) by core3.amsl.com (Postfix) with ESMTP id 8344E3A68BD for <hybi@ietf.org>; Thu, 28 Jan 2010 15:10:39 -0800 (PST)
Received: from sayrer.local (guest-224.mv.mozilla.com [63.245.220.224]) (Authenticated sender: rsayre@mozilla.com) by dm-mail03.mozilla.org (Postfix) with ESMTP id 680774AFE5A for <hybi@ietf.org>; Thu, 28 Jan 2010 15:10:49 -0800 (PST)
Message-ID: <4B621978.8070700@mozilla.com>
Date: Thu, 28 Jan 2010 15:10:48 -0800
From: Rob Sayre <rsayre@mozilla.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: hybi@ietf.org
References: <de17d48e1001280012i2657b587i83cda30f50013e6b@mail.gmail.com> <4B614CEC.2050400@ericsson.com> <Pine.LNX.4.64.1001280856380.22020@ps20323.dreamhostps.com> <4B616F17.4030402@ericsson.com> <4B619223.60408@webtide.com> <Pine.LNX.4.64.1001282141080.22020@ps20323.dreamhostps.com> <4B620B8F.6030706@gmx.de> <Pine.LNX.4.64.1001282217320.22053@ps20323.dreamhostps.com> <bbeaa26f1001281449q1a6e1813q3f537fe15a5a9d60@mail.gmail.com> <10CFF7AB-9954-4876-B4D9-4E7C4E040045@apple.com>
In-Reply-To: <10CFF7AB-9954-4876-B4D9-4E7C4E040045@apple.com>
Content-Type: multipart/alternative; boundary="------------070205030400000202060005"
Subject: Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2010 23:10:44 -0000
Also interested in moving the technology forward, not so much in debating the politics. On 1/28/10 2:55 PM, Maciej Stachowiak wrote: > > +1 > > We at Apple are interested in moving the technology forward, not so > much in debating the politics. Can we at least keep procedural mattes > out of threads about technical questions? > > - Maciej > > On Jan 28, 2010, at 2:49 PM, Ian Fette (イアンフェッティ) wrote: > >> So, moving back to the original question... I am very concerned here. >> A relatively straightforward question was asked, with rationale for >> the question. "May/Should WebSocket use HttpOnly cookie while >> Handshaking? >> I think it would be useful to use HttpOnly cookie on WebSocket so >> that we could authenticate the WebSocket connection by the auth token >> cookie which might be HttpOnly for security reason." >> >> It seems reasonable to assume that Web Sockets will be used in an >> environment where users are authenticated, and that in many cases the >> Web Socket will be established once the user has logged into a page >> via HTTP/HTTPS. It seems furthermore reasonable to assume that a >> server may track the logged-in-ness of the client using a HttpOnly >> cookie, and that the server-side logic to check whether a user is >> already logged in could easily be leveraged for Web Sockets, since it >> starts as an HTTP connection that includes cookies and is then >> upgraded. It seems like a very straightforward thing to say "Yes, it >> makes sense to send the HttpOnly cookie for Web Socket connections". >> >> Instead, we are bogged down in politics. >> >> How are we to move forward on this spec? We have multiple server >> implementations, there are multiple client implementations, if a >> simple question like this gets bogged down in discussions of WHATWG >> vs IETF we are never going to get anywhere. Clearly there are people >> on both groups who have experience in the area and valuable >> contributions to add, so how do we move forward? Simply telling the >> folks on WHATWG that they've handed the spec off to IETF is **NOT** >> in line with what I recall at the IETF, where I recall agreeing to >> the two WGs working in concert with each other. What we have before >> us is a very trivial question (IMO) that should receive a quick >> response. Can we use this as a proof of concept that the two groups >> can work together? If so, what are the concrete steps? >> >> If we can't figure out how to move forward on such a simple issue, it >> seems to me that we are in an unworkable situation, and should >> probably just continue the work in WHATWG through to a final spec, >> let implementations settle for a while, and then hand it off to IETF >> for refinement and finalization in a v2 spec... (my $0.02) >> >> -Ian >> >> 2010/1/28 Ian Hickson <ian@hixie.ch <mailto:ian@hixie.ch>> >> >> On Thu, 28 Jan 2010, Julian Reschke wrote: >> > Ian Hickson wrote: >> > > ... >> > > > The WHATWG submitted the document to the IETF >> > > >> > > I don't think that's an accurate portrayal of anything that >> has occurred, >> > > unless you mean the way my commit script uploads any changes >> to the draft to >> > > the tools.ietf.org <http://tools.ietf.org/> scripts. That >> same script also submits the varous >> > > documents generated from that same source document to the W3C >> and WHATWG >> > > source version control repositories. >> > > ... >> > >> > By submitting an Internet Draft according to BCP 78 you grant >> the IETF certain >> > rights; it's not relevant whether it was a script or yourself >> using a browser >> > or a MUA who posted it. >> > >> > You may want to check >> <http://tools.ietf.org/html/bcp78#section-5.3>. >> >> With the exception of the trademark rights, which I don't have and >> therefore cannot grant, the rights listed there are a subset of >> the rights >> the IETF was already granted by virtue of the WHATWG publishing >> the spec >> under a very liberal license. So that doesn't appear to be relevant. >> >> -- >> Ian Hickson U+1047E >> )\._.,--....,'``. fL >> http://ln.hixie.ch/ U+263A /, _.. \ _\ >> ;`._ ,. >> Things that are impossible just take longer. >> `._.-(,_..'--(,_..'`-.;.' >> _______________________________________________ >> hybi mailing list >> hybi@ietf.org <mailto:hybi@ietf.org> >> https://www.ietf.org/mailman/listinfo/hybi >> >> >> _______________________________________________ >> hybi mailing list >> hybi@ietf.org <mailto:hybi@ietf.org> >> https://www.ietf.org/mailman/listinfo/hybi > > > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi >
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Salvatore Loreto
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Salvatore Loreto
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Wenbo Zhu
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Hickson
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Greg Wilkins
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Hickson
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Julian Reschke
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Hickson
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Fette (イアンフェッティ)
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Maciej Stachowiak
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Rob Sayre
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Hickson
- [hybi] Process! was: [whatwg] HttpOnly cookie for… Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Rob Sayre
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Fette (イアンフェッティ)
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Salvatore Loreto
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Fette (イアンフェッティ)
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… SM
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Martin J. Dürst
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… SM
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Julian Reschke
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Greg Wilkins
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Francis Brosnan Blazquez
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Justin Erenkrantz
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… SM
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Jamie Lokier
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Jamie Lokier
- [hybi] Technical feedback. was: Process! Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Roberto Peon
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… SM
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Greg Wilkins
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Maciej Stachowiak
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Maciej Stachowiak
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Maciej Stachowiak
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Maciej Stachowiak
- [hybi] Intermediaries and idle connections (was R… Maciej Stachowiak
- [hybi] Reliable message delivery (was Re: Technic… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Technical feedback. was: Process! Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Justin Erenkrantz
- Re: [hybi] Technical feedback. was: Process! Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Technical feedback. was: Process! Justin Erenkrantz
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Justin Erenkrantz
- Re: [hybi] Intermediaries and idle connections (w… Maciej Stachowiak
- Re: [hybi] Technical feedback. was: Process! Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Technical feedback. was: Process! Maciej Stachowiak
- Re: [hybi] Technical feedback. was: Process! Roberto Peon
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Technical feedback. was: Process! Greg Wilkins
- Re: [hybi] Technical feedback. was: Process! Greg Wilkins
- [hybi] Process, was: Technical feedback. was: Pro… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Justin Erenkrantz
- Re: [hybi] Process, was: Technical feedback. was:… Justin Erenkrantz
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] Intermediaries and idle connections (w… Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] Technical feedback. was: Process! Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] Technical feedback. was: Process! Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Process, was: Technical feedback. was:… Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] Process, was: Technical feedback. was:… SM
- Re: [hybi] Process, was: Technical feedback. was:… Greg Wilkins
- Re: [hybi] Process, was: Technical feedback. was:… Maciej Stachowiak
- Re: [hybi] Process, was: Technical feedback. was:… Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Jamie Lokier
- Re: [hybi] Intermediaries and idle connections (w… Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? John Fallows
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Salvatore Loreto
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Maciej Stachowiak
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Julian Reschke
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] Process! Ian Hickson
- Re: [hybi] Reliable message delivery (was Re: Tec… Salvatore Loreto
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Anne van Kesteren
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Anne van Kesteren
- Re: [hybi] Technical feedback. was: Process! Ian Hickson
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Thomson, Martin
- Re: [hybi] Reliable message delivery (was Re: Tec… Ian Hickson
- Re: [hybi] Reliable message delivery (was Re: Tec… Anne van Kesteren
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Process! SM
- Re: [hybi] Process! Ian Hickson
- Re: [hybi] Reliable message delivery (was Re: Tec… Ian Hickson
- Re: [hybi] Technical feedback. was: Process! Justin Erenkrantz
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Thomson, Martin
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Martin J. Dürst
- Re: [hybi] Reliable message delivery (was Re: Tec… Justin Erenkrantz
- Re: [hybi] Reliable message delivery (was Re: Tec… Francis Brosnan Blazquez
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Technical feedback. was: Process! Jamie Lokier
- Re: [hybi] Technical feedback. was: Process! Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Technical feedback. was: Process! Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Mridul Muralidharan
- Re: [hybi] Reliable message delivery (was Re: Tec… Ian Hickson
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Mridul Muralidharan
- Re: [hybi] Reliable message delivery (was Re: Tec… Pieter Hintjens
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Mridul Muralidharan
- Re: [hybi] Reliable message delivery (was Re: Tec… Justin Erenkrantz
- Re: [hybi] Reliable message delivery (was Re: Tec… Scott Ferguson
- Re: [hybi] Reliable message delivery (was Re: Tec… Graham Klyne
- Re: [hybi] Reliable message delivery (was Re: Tec… Salvatore Loreto
- Re: [hybi] Reliable message delivery (was Re: Tec… Adam Barth
- Re: [hybi] Reliable message delivery (was Re: Tec… Salvatore Loreto
- Re: [hybi] Reliable message delivery (was Re: Tec… Ian Hickson