IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

"Roy T. Fielding" <fielding@gbiv.com> Thu, 02 December 2010 00:31 UTC

Return-Path: <fielding@gbiv.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 851C83A681D for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 16:31:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Ulxz3SQZejw for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 16:31:05 -0800 (PST)
Received: from homiemail-a16.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by core3.amsl.com (Postfix) with ESMTP id D567F3A6825 for <hybi@ietf.org>; Wed, 1 Dec 2010 16:31:05 -0800 (PST)
Received: from homiemail-a16.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTP id 2DC40EE0A8; Wed, 1 Dec 2010 16:32:20 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gbiv.com; h=subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to; q=dns; s=gbiv.com; b=HYwzSZcHj43AlVbz KneoGXYWC9tz/YKGu2yBx+sF/Ay9AECSYMqjB25vUpc9wUn0VAca2Pt7idaCvQ/C QJgMJ9yx//hPLa5EH3Ka4K+9o3FE61zduBKTjubxvkXa7EmBrrPF0on3AFYSC96f dByp9D9oQV5l80KGcxVEInQE6p4=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gbiv.com; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=gbiv.com; bh=YzAo88Wel609jWHWOufuSR83XvY=; b=TfHlIsNbOAlpuTmRxgp2cd2eWF6N iqmx55/0GNpyTtJlXeYCuISiSUUDUTai1QrkJQ2tIxwae7R4OGrOzOGt+KHvuA/m lEDuiNgowhPA7/ds70j5eEiN9tRzhgFsbOEjN/rUYHZ2fiHiu0vf3HRO/VbDcbd/ zwFi/Hh49QK+oPI=
Received: from di-524.corp.day.com (wsip-98-189-13-228.oc.oc.cox.net [98.189.13.228]) (Authenticated sender: fielding@gbiv.com) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTPA id AE5A3EE010; Wed, 1 Dec 2010 16:32:19 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <AANLkTimi5HL56PD9gLHUWs=mcbV3Eaz=GOsK38sxPevb@mail.gmail.com>
Date: Wed, 01 Dec 2010 16:32:19 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <DA6A1BBE-B67F-40B9-92A3-E62E78E43CD0@gbiv.com>
References: <AANLkTin6=8_Bhn2YseoSHGh1OSkQzsYrTW=fMiPvYps1@mail.gmail.com> <20101126000352.ad396b9a.eric@bisonsystems.net> <AANLkTimzQyG4hugOvHqoNrBrZFA4fGbGXQ7MZ2i+68dO@mail.gmail.com> <4CF615B2.9010304@rowe-clan.net> <F96E5CE9-CA7D-4B70-8260-F05456D021FB@gbiv.com> <AANLkTimi5HL56PD9gLHUWs=mcbV3Eaz=GOsK38sxPevb@mail.gmail.com>
To: Adam Barth <ietf@adambarth.com>
X-Mailer: Apple Mail (2.1082)
Cc: "William A. Rowe Jr." <wrowe@rowe-clan.net>, Hybi HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2010 00:31:07 -0000

On Dec 1, 2010, at 10:01 AM, Adam Barth wrote:

> On Wed, Dec 1, 2010 at 9:45 AM, Roy T. Fielding <fielding@gbiv.com> wrote:
>> On Dec 1, 2010, at 1:30 AM, William A. Rowe Jr. wrote:
>>> On 11/26/2010 6:55 AM, Greg Wilkins wrote:
>>>> 
>>>> And do you get similar feeling to think about using the CONNECT method
>>>> to establish tunnels for arbitrary protocols?
>>> 
>>> CONNECT suffers from the same issues you identify is deploying a new port.
>>> Namely, http servers will reject those requests.  Leveraging CONNECT
>>> successfully would require additional HTTP-level authentication to identify
>>> users and prevent abuse (as most proxies do).  Restructuring the internet,
>>> whether it is adding a new port to unblock, or permitting specific classes
>>> of CONNECT traffic, would be a similar battle.
>> 
>> Perhaps more to the point, CONNECT is a method that is only allowed to be
>> sent to a client-side proxy server.  Deliberately sending it in other
>> HTTP messages would be a violation of its method semantics and the
>> HTTP/1.1 syntax (because its unusual target syntax is only allowed
>> when sent to a proxy).
> 
> That seems like a matter of perspective.  When opening a connection to
> a WebSocket server, can one not view the server as a proxy sever?

No, because the browser is not limiting such connections to a
configuration-selected proxy (hence, it is not equivalent from
a behavioral or organizational policy perspective, which is
where the name "proxy" came from originally and what drives the
selection and enforcement of proxy use within larger companies).

I don't have a problem with configured proxies being used via
a normal CONNECT tunnel to perform raw websockets access outside
a port-restricted firewall.  That would be a normal proxy
configuration (not intercepts).

....Roy

v2.23.0 | Report a Bug | By Email