Re: [hybi] Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard
Iñaki Baz Castillo <ibc@aliax.net> Sun, 24 July 2011 11:33 UTC
Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08F1821F84F6; Sun, 24 Jul 2011 04:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.664
X-Spam-Level:
X-Spam-Status: No, score=-2.664 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mfjj+8dMiy6q; Sun, 24 Jul 2011 04:33:14 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 48E9F21F8686; Sun, 24 Jul 2011 04:33:14 -0700 (PDT)
Received: by qwc23 with SMTP id 23so2675563qwc.31 for <multiple recipients>; Sun, 24 Jul 2011 04:33:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.105.95 with SMTP id s31mr2548960qco.228.1311507193354; Sun, 24 Jul 2011 04:33:13 -0700 (PDT)
Received: by 10.229.185.195 with HTTP; Sun, 24 Jul 2011 04:33:13 -0700 (PDT)
In-Reply-To: <CAP992=FCQ4uLBw5RWsBjEy-ayZDKkzs4A3j4U37x1n=ZNbwb1A@mail.gmail.com>
References: <20110711140229.17432.23519.idtracker@ietfa.amsl.com> <CALiegfk0zVVRBbOP4ugsVXKmcLnryujP6DZqF6Bu_dC2C3PpeQ@mail.gmail.com> <9031.1311082001.631622@puncture> <CALiegfk_GLAhAf=yEe6hYw2bwtxEwg9aJN+f0Bm9he5QgsRavA@mail.gmail.com> <CAP992=Ft6NwG+rbcuWUP0npwVNHY_znHmXmznBQO_krMo3RT6g@mail.gmail.com> <CALiegfmTWMP3GhS1-k2aoHHXkUkB+eWqV=2+BufuWVR1s2Z-EA@mail.gmail.com> <20110721163910.GA16854@1wt.eu> <CAP992=FrX5VxP2o0JLNoJs8nXXba7wbZ6RN9wBUYC0ZSN_wbAg@mail.gmail.com> <9031.1311270000.588511@puncture> <CALiegf=pYzybvc7WB2QfPg6FKrhLxgzHuP-DpuuMfZYJV6Z7FQ@mail.gmail.com> <CAP992=FJymFPKcPVWrF-LkcEtNUz=Kt9L_ex+kLtjiGjL1T46w@mail.gmail.com> <4E28A51F.4020704@callenish.com> <9031.1311286867.939466@puncture> <4E28BA9D.6010501@callenish.com> <CAP992=GedTEfimykCWwdwm=BsZdwFRJO36EO0a_o7iejURJ+tQ@mail.gmail.com> <9031.1311328519.488604@puncture> <CAP992=GuGMB7e=skLnW=gjQU0rnbh2BD2A_bRyy3Fkrphmj=VQ@mail.gmail.com> <CAP992=FCQ4uLBw5RWsBjEy-ayZDKkzs4A3j4U37x1n=ZNbwb1A@mail.gmail.com>
Date: Sun, 24 Jul 2011 13:33:13 +0200
Message-ID: <CALiegfnftFGgLOs2ukk1JOFpnJHn06HBunuXaPz9N03UJb+6+w@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
To: David Endicott <dendicott@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Server-Initiated HTTP <hybi@ietf.org>, IETF-Discussion <ietf@ietf.org>
Subject: Re: [hybi] Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jul 2011 11:33:15 -0000
2011/7/22 David Endicott <dendicott@gmail.com>: > Actually....I wasn't talking about the Host: header - that is totally > spoofable...I was concerned about: > 1. Browser client resolves example.com via old style DNS to x.x.x.x and > fetches HTTP > 2. Received HTML starts JS which starts WS connection > 3. WS resolves example.com via DNS SRV to y.y.y.y and opens > 4. WS now has access outside origin. > Please note, I did not specify why DNS SRV resolved differently than old > style DNS - could be malicious, could be an simple mistake. I am > assuming the DNS SRV and old DNS might be answered from different servers. > Do browsers restrict origin / cross-site access based on name or on address? Now I assume that there is no SRV stuff at all: 1. Browser client resolves example.com via old style DNS to x.x.x.x and fetches HTTP. 2. Received HTML contains a JS with a WS URI "ws://other-domain.net". 3. WS resolves other-domain.ne via old style DNS to z.z.z.z and opens. 4. WS now has access outside origin. Is there any spec in which it's said that the WS URI must point to the same domain as the initial web page? NOTE: Anyhow, in the case of DNS SRV such domain can be the same. My example above is just another. -- Iñaki Baz Castillo <ibc@aliax.net>
- [hybi] Last Call: <draft-ietf-hybi-thewebsocketpr… The IESG
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Thomson, Martin
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Julian Reschke
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Julian Reschke
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Julian Reschke
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Julian Reschke
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Francis Brosnan Blazquez
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Thomson, Martin
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Greg Wilkins
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Len Holgate
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Len Holgate
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Francis Brosnan Blazquez
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Len Holgate
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Francis Brosnan Blazquez
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Barry Leiba
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Len Holgate
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Francis Brosnan Blazquez
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Philippe Bernard
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Bruce Atherton
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Bruce Atherton
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Gabriel Montenegro
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Greg Wilkins
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Roy T. Fielding
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Ted Hardie
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Keith Moore
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Patrick McManus
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Alexey Melnikov
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Roy T. Fielding
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Roy T. Fielding
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Bjoern Hoehrmann
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Patrick McManus
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Keith Moore
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Keith Moore
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Martin Rex
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Peter Saint-Andre
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Martin Rex
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Philip Homburg
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Roy T. Fielding
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Hector
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- [hybi] IESG note?, was: Last Call: <draft-ietf-hy… Julian Reschke
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Julian Reschke
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Roy T. Fielding
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Joel Martin
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Willy Tarreau
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Joel Martin
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Sylvain Hellegouarch
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Joel Martin
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Sylvain Hellegouarch
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Julian Reschke
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Peter Saint-Andre
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Richard L. Barnes
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Greg Longtin
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Willy Tarreau
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Roy T. Fielding
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Willy Tarreau
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Gabriel Montenegro
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Stephen Farrell
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Willy Tarreau
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Richard L. Barnes
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… John Tamplin
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… SM
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Stephen Farrell
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Peter Saint-Andre
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Willy Tarreau