Re: [hybi] draft-10 questions

Patrick McManus <> Mon, 01 August 2011 12:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 60F0611E8393 for <>; Mon, 1 Aug 2011 05:37:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.539
X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Bfw1ghEBuJ-R for <>; Mon, 1 Aug 2011 05:37:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 92B0511E8218 for <>; Mon, 1 Aug 2011 05:37:34 -0700 (PDT)
Received: by (Postfix, from userid 1000) id C8E8010194; Mon, 1 Aug 2011 08:37:39 -0400 (EDT)
Received: from [] ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 6FD3610190; Mon, 1 Aug 2011 08:37:31 -0400 (EDT)
From: Patrick McManus <>
To: Tobias Oberstein <>
In-Reply-To: <>
References: <> <1312128157.1862.296.camel@ds9> <>
Content-Type: text/plain; charset="UTF-8"
Date: Mon, 01 Aug 2011 08:37:22 -0400
Message-ID: <1312202242.1862.307.camel@ds9>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.2
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [hybi] draft-10 questions
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Aug 2011 12:37:57 -0000

On Sun, 2011-07-31 at 10:12 -0700, Tobias Oberstein wrote:

> just to be sure to get that right:
> A js served to a browser from http://somehost:80 can contact _any_ ws(s)://XXX:YYY ?
> It's at the sole discretion of that other host to accept (depending e.g. on ws-origin) the ws ?
> so for WebSockets in browsers, the "same origin policy" does not apply at all?

yes. Same origin is not necessary because websockets contains a
mandatory origin header and, thanks to the hash based handshake, we know
the server implements the spec that understands that semantic.

> e.g. under what circumstances will a cookie A set by the original js serving http://somehost:80 be
> delivered in the headers of an ws outgoing from that js?
> or, is that browser implementation dependent?

It certainly isn't specified by hybi :). In FF the normal HTTP cookie
rules apply (which is to say the most interesting factor is the hostname
of the ws server), because wherever we can we treat that handshake like
just another http transaction. 

That also means things like HSTS (will) apply to the handshake. CSP too
when that mapping is figured out.

One distinction we have decided to draw is to prevent downgrading mixed
content with websockets (i.e. you cannot connect to a ws:// url from a
https:// based context).