IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

John Tamplin <jat@google.com> Fri, 10 December 2010 01:08 UTC

Return-Path: <jat@google.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C668228C0DB for <hybi@core3.amsl.com>; Thu, 9 Dec 2010 17:08:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.873
X-Spam-Level:
X-Spam-Status: No, score=-109.873 tagged_above=-999 required=5 tests=[AWL=0.103, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ntlhHyCOI+Oc for <hybi@core3.amsl.com>; Thu, 9 Dec 2010 17:08:32 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 108FF3A6BF6 for <hybi@ietf.org>; Thu, 9 Dec 2010 17:08:31 -0800 (PST)
Received: from kpbe12.cbf.corp.google.com (kpbe12.cbf.corp.google.com [172.25.105.76]) by smtp-out.google.com with ESMTP id oBA1A1Pj031680 for <hybi@ietf.org>; Thu, 9 Dec 2010 17:10:01 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1291943401; bh=nBshodlnIyrSi6StiG6pDxv1wmA=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=Y4kuTu6wyI/SLfHygyIXC6oI1S85HfaYkhdWpgk9+dFt++mrRiv6c4+FtspTO+Qy7 8Pc/h0d1CtUSunwBRUypg==
Received: from qyk29 (qyk29.prod.google.com [10.241.83.157]) by kpbe12.cbf.corp.google.com with ESMTP id oBA19Bet031970 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <hybi@ietf.org>; Thu, 9 Dec 2010 17:10:00 -0800
Received: by qyk29 with SMTP id 29so2769026qyk.4 for <hybi@ietf.org>; Thu, 09 Dec 2010 17:09:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=Lez/UwEesAVXyDcYYi4aAD9JSTRe7qhhP4TT8TtZ96s=; b=qiWawsoyhaMoARAYnSOuQ2+IMtkGeDXF9dxd8BFCYv+KTU6/bSxdLs36dPUewJk5mB Q/14pz36fgXPBe+OBTlQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=o9Y/YLwl7tstCfzurta6fBQlK0s1vo9lzUs1j0Q9BZV5jDHt8GvMveowDoG7ETzxqi sFlQRU/6C4pf0EB4F/Dw==
Received: by 10.229.251.1 with SMTP id mq1mr37104qcb.22.1291943399723; Thu, 09 Dec 2010 17:09:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.229.197.13 with HTTP; Thu, 9 Dec 2010 17:09:37 -0800 (PST)
In-Reply-To: <AANLkTik5ce7VkZrYW=Yp9ST0T1hmAfXYWXqoqfgtsdPh@mail.gmail.com>
References: <BB947F6D-15AA-455D-B830-5E12C80C1ACD@mnot.net> <81870DB1-B177-4253-8233-52C4168BE99D@apple.com> <F4D1B715-3606-4E9A-BFB2-8B7BC11BE331@mnot.net> <57D4B885-B1D8-482F-8747-6460C0FFF166@apple.com> <37A00E8D-B55C-49AD-A85C-A299C80FFF17@mnot.net> <4F2580A7-79C2-4B0A-BCE5-7FB6D9AA0ED7@apple.com> <BB31C4AB95A70042A256109D461991260583956C@XCH117CNC.rim.net> <EA41A6C7-971C-4EC8-AA6F-96363B7FDC4C@gmail.com> <73E53F19-E0E7-4ADB-B765-ABAF0B4A6736@mnot.net> <r2f0g6d7bj770kg0db5ptr027ninmckns8@hive.bjoern.hoehrmann.de> <20C2FBB9-901F-4235-AF23-EC8262585905@mnot.net> <1291905941.2315.2113.camel@ds9.ducksong.com> <4D011146.3080906@caucho.com> <AANLkTi=CKU8H5A2f7rSGZ9h5mrp=NZW0yLB9O6=MDW5i@mail.gmail.com> <AANLkTimg774w-JVExm4YQJzuBv3gaJZOLMo5OymDsMiE@mail.gmail.com> <AANLkTik5ce7VkZrYW=Yp9ST0T1hmAfXYWXqoqfgtsdPh@mail.gmail.com>
From: John Tamplin <jat@google.com>
Date: Thu, 09 Dec 2010 20:09:37 -0500
Message-ID: <AANLkTi=ofWZxKT=7DYUSArQTqsePZECOix5fkySGjZAt@mail.gmail.com>
To: Zhong Yu <zhong.j.yu@gmail.com>
Content-Type: multipart/alternative; boundary="0016363b82c669158f04970403e5"
X-System-Of-Record: true
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 01:08:34 -0000

On Thu, Dec 9, 2010 at 7:52 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:

> > The app can't send HTTP-only cookies, since it has no access to them.
>  One
>
> The *app* has access to everything that server allows it to. The
> client side code is all generated by server anyway, server can bundle
> any data to the client code.


Not if you want to associate an HTTP-only cookie with the connection such
that hostile JS can't interfere with it.


> > Whatever cookies shortcomings, they are still being used and there is no
> > viable replacement so I don't think we should drop support for them in
> > WebSockets.
>
> Of course, HTTP cookies are still useful. That doesn't mean WS should
> inherit them. We are not preventing WebSocket applications from using
> HTTP cookies or making it difficult.
>
> Because WS is stateful, the server can simply associate user state
> with connection. It doesn't need to send user state back to client,
> then ask client to send it back. That mechanism makes sense for HTTP,
> but not WS.



There is still a problem of associating multiple WS connections from
> the same user, but that is a much smaller problem than what cookies
> try to solve.
>

How does it get that first association?  What if there are separate tabs
open, with different credentials?  How does it know which one from the same
origin goes with which HTTP session?


> My real fear of cookies is from reading that blog
> http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html
> Whose head won't explode by just thinking all the new problems WS will
> add to the existing mess if it starts to interact with cookies? Of
> course, we can be likewise irresponsible, and just vaguely specify
> WS-cookie interaction, leaving many questions open.
>

Existing applications use HTTP and cookies today, including Comet/etc
applications which WebSocket is intended to replace.  Dropping cookie
support from WebSocket only adds another barrier to converting those apps to
use WebSocket.

It seems to me that WebSocket should handle cookies exactly as an XHR
request does today, which doesn't seem like it improves or makes worse any
of the issues with cookies.  If you are arguing that the app should continue
to use cookies but just manage sending them itself, how does that change
anything over WebSocket sending the cookies, other than force independent
reinvention of the wheel?

-- 
John A. Tamplin
Software Engineer (GWT), Google

v2.23.0 | Report a Bug | By Email