Re: [hybi] Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard

David Endicott <dendicott@gmail.com> Fri, 22 July 2011 13:47 UTC

Return-Path: <dendicott@gmail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B94F421F8531; Fri, 22 Jul 2011 06:47:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.573
X-Spam-Level:
X-Spam-Status: No, score=-3.573 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Vxt6zZSq9-o; Fri, 22 Jul 2011 06:47:40 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1527821F8515; Fri, 22 Jul 2011 06:47:33 -0700 (PDT)
Received: by wwe5 with SMTP id 5so1517549wwe.13 for <multiple recipients>; Fri, 22 Jul 2011 06:47:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UGfwX4W0mqUSwtSnf/ahEA6EjDJLU+9IqYq4bVewc50=; b=nW5SeYF22y8sZPh0UW7EBLsdmGm8SlYF9c+VwpJyaHcYoQfbGtdNPBI+VMFgd5qKNv e1s5GkY/jVI7Xwnv5cWt3DmyUEhx2WulVYYuSDUVBruBw1I3Jr3azW+VZVZOT8yokSB7 XUdFcvMwHAhV5i8HN+G3MI8+eWl5w/m3wzM+o=
MIME-Version: 1.0
Received: by 10.216.1.200 with SMTP id 50mr2100722wed.33.1311342453158; Fri, 22 Jul 2011 06:47:33 -0700 (PDT)
Received: by 10.216.39.197 with HTTP; Fri, 22 Jul 2011 06:47:31 -0700 (PDT)
In-Reply-To: <CAP992=GuGMB7e=skLnW=gjQU0rnbh2BD2A_bRyy3Fkrphmj=VQ@mail.gmail.com>
References: <20110711140229.17432.23519.idtracker@ietfa.amsl.com> <CALiegfk0zVVRBbOP4ugsVXKmcLnryujP6DZqF6Bu_dC2C3PpeQ@mail.gmail.com> <9031.1311082001.631622@puncture> <CALiegfk_GLAhAf=yEe6hYw2bwtxEwg9aJN+f0Bm9he5QgsRavA@mail.gmail.com> <CAP992=Ft6NwG+rbcuWUP0npwVNHY_znHmXmznBQO_krMo3RT6g@mail.gmail.com> <CALiegfmTWMP3GhS1-k2aoHHXkUkB+eWqV=2+BufuWVR1s2Z-EA@mail.gmail.com> <20110721163910.GA16854@1wt.eu> <CAP992=FrX5VxP2o0JLNoJs8nXXba7wbZ6RN9wBUYC0ZSN_wbAg@mail.gmail.com> <9031.1311270000.588511@puncture> <CALiegf=pYzybvc7WB2QfPg6FKrhLxgzHuP-DpuuMfZYJV6Z7FQ@mail.gmail.com> <CAP992=FJymFPKcPVWrF-LkcEtNUz=Kt9L_ex+kLtjiGjL1T46w@mail.gmail.com> <4E28A51F.4020704@callenish.com> <9031.1311286867.939466@puncture> <4E28BA9D.6010501@callenish.com> <CAP992=GedTEfimykCWwdwm=BsZdwFRJO36EO0a_o7iejURJ+tQ@mail.gmail.com> <9031.1311328519.488604@puncture> <CAP992=GuGMB7e=skLnW=gjQU0rnbh2BD2A_bRyy3Fkrphmj=VQ@mail.gmail.com>
Date: Fri, 22 Jul 2011 09:47:31 -0400
Message-ID: <CAP992=FCQ4uLBw5RWsBjEy-ayZDKkzs4A3j4U37x1n=ZNbwb1A@mail.gmail.com>
From: David Endicott <dendicott@gmail.com>
To: Dave Cridland <dave@cridland.net>
Content-Type: multipart/alternative; boundary="0016364d2c791977f404a8a8b552"
Cc: Server-Initiated HTTP <hybi@ietf.org>, IETF-Discussion <ietf@ietf.org>
Subject: Re: [hybi] Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jul 2011 13:47:40 -0000

serves the Javascript that opens the WS should remain constant.   If WS

> resolves the host/domain to a different address than the HTTP it was
>>> spawned
>>> from, it becomes a method to bypass same-origin / CORS restrictions.
>>>
>>
>> That's an unfortunate misunderstanding.
>>
>> All protocols that use SRV records maintain the target domain.
>>
>> So a ws://example.com/xyz would still send a Host header of "example.com",
>> whether SRV or not, so there is no impact on same origin policy, CORS, etc.
>>
>>
> Good to know, thank you.

Actually....I wasn't talking about the Host: header - that is totally
spoofable...I was concerned about:

1. Browser client resolves example.com via old style DNS to x.x.x.x and
fetches HTTP
2. Received HTML starts JS which starts WS connection
3. WS resolves example.com via DNS SRV to y.y.y.y and opens
4. WS now has access outside origin.

Please note, I did not specify why DNS SRV resolved differently than old
style DNS - could be malicious, could be an simple mistake.     I am
assuming the DNS SRV and old DNS might be answered from different servers.

Do browsers restrict origin / cross-site access based on name or on address?