W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: #250 / #251 (connect bodies)

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 28 Oct 2010 07:48:25 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: Adam Barth <w3c@adambarth.com>, Julian Reschke <julian.reschke@gmx.de>, Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20101028054825.GA20369@1wt.eu>
On Thu, Oct 28, 2010 at 02:14:53PM +1100, Mark Nottingham wrote:
> Because CONNECT is for establishing a connection to a proxy, not a gateway (which is what you're doing).

That's true but the semantics of the CONNECT method is the closest to what we
need in WebSocket. After all, we're negociating a bidirectionnal tunnel between
the browser and the application through the HTTP infrastructure.

> Also, I suspect putting a body on a CONNECT request is going to lead to interop problems (which is what led to #251).

And possibly to request smuggling attacks, which was one reason for
choosing CONNECT. We should stay on the compatibilty side IMHO, and
I too am worried about the possible implications of sending a body
with a CONNECT.

Regards,
Willy
Received on Thursday, 28 October 2010 05:49:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:31 GMT