W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: #250 / #251 (connect bodies)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 27 Oct 2010 23:07:22 -0700
Message-ID: <AANLkTimaq4xhDeY9dTNquFpHeVq9o610Shba9A-EVNhV@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Willy Tarreau <w@1wt.eu>, Julian Reschke <julian.reschke@gmx.de>, Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
That's true, but we don't know of any non-TLS WebSocket handshake that
connects more than about half the time.  If you want to reliably
connect to the server, you need to use TLS.


On Wed, Oct 27, 2010 at 11:04 PM, Mark Nottingham <mnot@mnot.net> wrote:
> Intermediaries that aren't expecting CONNECT are just as likely to ignore it (i.e., many, but not all, will error out, whereas the rest will pass it through). E.g., try CONNECTing to Squid running as a transparent proxy, or against a L7 load balancer, or...
> Cheers,
> On 28/10/2010, at 4:59 PM, Adam Barth wrote:
>> On Wed, Oct 27, 2010 at 10:53 PM, Mark Nottingham <mnot@mnot.net> wrote:
>>> On 28/10/2010, at 4:48 PM, Willy Tarreau wrote:
>>>> On Thu, Oct 28, 2010 at 02:14:53PM +1100, Mark Nottingham wrote:
>>>>> Because CONNECT is for establishing a connection to a proxy, not a gateway (which is what you're doing).
>>>> That's true but the semantics of the CONNECT method is the closest to what we
>>>> need in WebSocket. After all, we're negociating a bidirectionnal tunnel between
>>>> the browser and the application through the HTTP infrastructure.
>>> This is neither horseshoes nor hand grenades. CONNECT is unique (and badly designed, as a method) because it doesn't go through, it terminates at the proxy. Sending a CONNECT to an origin server makes no sense, and is likely to be blocked by all sorts of infrastructure.
>>> You'd be better off using Upgrade, which is very much designed for this use case.
>> Unfortunately using Upgrade for WebSockets causes security
>> vulnerabilities because many intermediaries don't understand its
>> semantics and ignore it.  On the other hand, CONNECT is widely used
>> and has the behavior we want.
>> Adam
> --
> Mark Nottingham   http://www.mnot.net/
Received on Thursday, 28 October 2010 06:08:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:55 UTC