Re: [hybi] New Version Notification for draft-mcmanus-httpbis-h2-websockets-01.txt

Mark Nottingham <> Thu, 26 October 2017 23:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3DB3413F48B for <>; Thu, 26 Oct 2017 16:39:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=VQDxTQEO; dkim=pass (2048-bit key) header.b=T0zhKbJU
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bp7qMDiq3EMy for <>; Thu, 26 Oct 2017 16:39:30 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 534281389AC for <>; Thu, 26 Oct 2017 16:39:30 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id C21B32081E; Thu, 26 Oct 2017 19:39:28 -0400 (EDT)
Received: from frontend1 ([]) by compute3.internal (MEProxy); Thu, 26 Oct 2017 19:39:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=hDLRi+fRSI+CIKXOpv7o5V7cslkOu +7Mx74/OjmPdyE=; b=VQDxTQEODC8ak+kQ4OEmL84ED7zxvZO5uxM6kWSUJBgAZ UzFzHgNNWJmHG4+JzKpTGVvMTOMmP5nvexILp9sHdw9AfPS6+LSUD1ndfyn0Dh1P x/d83PZloNDrR7SejUj3+IBxdQdaDxekmJmDXLBHLQ7/i1CiqQZdOfpBhPYyUfT+ 875/awd06L5UfHHotVoASWnG7qqvFFPm39bagZsmNfaZ0OlzXi2OCL8z1+WBaRua 8X//CTOQKeDIepmUEOqm2LXpH5Y0yB1w+246nGnTCIS3Rw44agjKrj5rq6jS8OTC y5tmLJUzzBvmSoi2JwM7NA/tZNfHJH1vBPL6t+APw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=hDLRi+ fRSI+CIKXOpv7o5V7cslkOu+7Mx74/OjmPdyE=; b=T0zhKbJUjlP37Q89RBeSPW LVV5liK13TCOzLA5C4QrE4UyvUogkjDFGQb6g91MiWiZscekjfL9TawiCNanVI3x 5JFM/O1WNa6OnFh7uylGuRKF9Mbid7PVFoOQUV5PHaJoVVzPTHYltW2NGqy7bYdt 4V1PAYWfMn1BfqcaPc0uHVn8cKn18Fvv5TNzXVEj+4q4N7JqbCy5OczIu9Lw7Cq7 jKULGnWlt0u+x1AFH+Nnh7mX0BWxfynb8TdUm7tdCI6j4CaHGG4LUR1UmDxTW7T2 iqhTd6XQ2gXbca+zP5P3Kuf61jBvLfUpURLL8NL82zspckVj5wVg8HPM/Ys6J05Q ==
X-ME-Sender: <xms:MHLyWR1AYy-owMCcAv6VP2lEtSqEN4BjPO9B60srt6NQw2ujbdABUw>
Received: from [] ( []) by (Postfix) with ESMTPA id 27D5B7F97C; Thu, 26 Oct 2017 19:39:26 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.0 \(3445.1.7\))
From: Mark Nottingham <>
In-Reply-To: <>
Date: Fri, 27 Oct 2017 10:39:23 +1100
Cc: John Fallows <>, Patrick McManus <>, hybi <>, HTTP Working Group <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <>
To: Martin Thomson <>
X-Mailer: Apple Mail (2.3445.1.7)
Archived-At: <>
Subject: Re: [hybi] New Version Notification for draft-mcmanus-httpbis-h2-websockets-01.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Oct 2017 23:39:32 -0000

On 27 Oct 2017, at 10:07 am, Martin Thomson <> wrote:
> I still lean toward CONNECT for this, despite reservations about the subtle difference between usages (proxy vs. origin).  A natural lightweight implementation of this has the server add proxy code that forwards the tunnel to a websocket server.  That proxy would need to perform the old-school 6455 handshake with the websocket server, but could construct that from the headers of the CONNECT request.  The handling of the header might be different, but the DATA frames are handled just like a CONNECT tunnel.  That said, there is enough difference here to justify a different method.

Just to give some context as to why I don't think it's a subtle change -- consider OWASP's mod_security CRS, which is the basis of most WAF products. It has baked-in assumptions about the semantics of CONNECT; e.g.,

That is pretty widely deployed, and just one example. Don't assume that HTTP is just a two-party protocol, even over HTTPS.


Mark Nottingham