W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [hybi] workability (or otherwise) of HTTP upgrade

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 1 Dec 2010 16:32:19 -0800
Cc: "William A. Rowe Jr." <wrowe@rowe-clan.net>, Hybi HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <DA6A1BBE-B67F-40B9-92A3-E62E78E43CD0@gbiv.com>
To: Adam Barth <ietf@adambarth.com>
On Dec 1, 2010, at 10:01 AM, Adam Barth wrote:

> On Wed, Dec 1, 2010 at 9:45 AM, Roy T. Fielding <fielding@gbiv.com> wrote:
>> On Dec 1, 2010, at 1:30 AM, William A. Rowe Jr. wrote:
>>> On 11/26/2010 6:55 AM, Greg Wilkins wrote:
>>>> 
>>>> And do you get similar feeling to think about using the CONNECT method
>>>> to establish tunnels for arbitrary protocols?
>>> 
>>> CONNECT suffers from the same issues you identify is deploying a new port.
>>> Namely, http servers will reject those requests.  Leveraging CONNECT
>>> successfully would require additional HTTP-level authentication to identify
>>> users and prevent abuse (as most proxies do).  Restructuring the internet,
>>> whether it is adding a new port to unblock, or permitting specific classes
>>> of CONNECT traffic, would be a similar battle.
>> 
>> Perhaps more to the point, CONNECT is a method that is only allowed to be
>> sent to a client-side proxy server.  Deliberately sending it in other
>> HTTP messages would be a violation of its method semantics and the
>> HTTP/1.1 syntax (because its unusual target syntax is only allowed
>> when sent to a proxy).
> 
> That seems like a matter of perspective.  When opening a connection to
> a WebSocket server, can one not view the server as a proxy sever?

No, because the browser is not limiting such connections to a
configuration-selected proxy (hence, it is not equivalent from
a behavioral or organizational policy perspective, which is
where the name "proxy" came from originally and what drives the
selection and enforcement of proxy use within larger companies).

I don't have a problem with configured proxies being used via
a normal CONNECT tunnel to perform raw websockets access outside
a port-restricted firewall.  That would be a normal proxy
configuration (not intercepts).

....Roy
Received on Thursday, 2 December 2010 00:32:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:33 GMT