W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: WebSocket2

From: Van Catha <vans554@gmail.com>
Date: Sat, 1 Oct 2016 15:18:49 -0400
Message-ID: <CAG-EYChPJpAzoEuNwY3cNz503d0FRbNnDx_9AsNsZyfb5nmN0g@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: HTTP working group mailing list <ietf-http-wg@w3.org>
> Is there request header to request no caching? There is certainly a
> response header to request no caching.

I believe there is no request that can specify "don't cache", but I may be
wrong.

> Or perhaps use a dedicated method? It would seem pretty obivous that
> if you see a unknown method, you shouldn't assume very much about what
> it is.

I think adding/using an unconventional method will be way beyond the scope
of what
is presented.  I do not think anyone will implement that?

> Unfortunately, HTTP/2 does not have strict scheme handling like I
> proposed. With it, one could just have directly used the wss scheme
> (or ws for oppsec) and be done with it.

:scheme is perfect! Wow.  If we could pass ws/wss for example as the scheme
that
fits perfectly. Looking at https://tools.ietf.org/html/rfc3986#section-3.1
the spec for schemes
it seems ws and wss are perfectly valid schemes to use and are registered;
http://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml.

If we wanted to pass ws2, we would have to register the scheme which I think
should not be a problem.  As ws2 will not be backwards compatible with
ws/wss.  Would wss2 need to be included as well in this case?

So in the current state of affairs, using wss as the scheme over HTTP/2
will default to using
WebSocket2. Using ws as the scheme will default to WebSocket2 as well (for
backwards compat).
So if the client API uses WebSocket("ws://my-http2-server.com/channel") or
wss, both should
go to WebSocket2.

Where is the problem in HTTP/2 that would disallow schemes different from
http and https, I do not see
anything related to this?


> It seems to me that using https:// GET here is rather dangerous. Even with
> extra custom headers.

Any alternative suggestion?






On Sat, Oct 1, 2016 at 2:47 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Sat, Oct 01, 2016 at 02:20:38PM -0400, Van Catha wrote:
>
> > The proxy problem circles around back to the implementation. Perhaps a
> > header in the request could be included saying to not cache anything, if
> > the proxy caches things well its the proxies fault.  Also if the proxy is
> > not aware of WebSocket2 this should not matter, the proxies job is to
> > forward everything as it came.  As long as the proxy would forward the
> > websocket2-[version|compression] headers to the server and forward what
> the
> > server replies with there should be no problems.  Again if the proxy is
> > "smart" and decides to cache the response (which did not specify any
> > headers related to caching) its the proxies fault.  To be more direct the
> > response may be forced to include headers specifically instructing
> nothing
> > should be cached.  Does this work?
>
> Is there request header to request no caching? There is certainly a
> response header to request no caching.
>
> Or perhaps use a dedicated method? It would seem pretty obivous that
> if you see a unknown method, you shouldn't assume very much about what
> it is.
>
> > I am thinking using SETTINGS frames would be too complex, as that would
> > require baking WebSocket2 directly into HTTP/2, the way it is now,
> > WebSocket2 should run over HTTP/2 with minimal resistance since we do not
> > introduce new settings or HTTP/2 frame types.  HTTP/2 was designed from
> the
> > very beginning to not support 2 way streaming like websocket provides
> > currently for HTTP/1.1.  I think the resistance would be great if adding
> > WebSocket2 requires adding to the actual HTTP/2 specification.
>
> Unfortunately, HTTP/2 does not have strict scheme handling like I
> proposed. With it, one could just have directly used the wss scheme
> (or ws for oppsec) and be done with it.
>
> > If origin server does not know about WebSocket2 and the request succeeds
> > that is indeed a problem.  Perhaps the server can reply with the error
> > header always like websocket2-error: okay; in the case when the
> WebSocket2
> > negotation was a success. This way an origin server without WebSocket2
> will
> > reply with 200, and the client will see there is no websocket2-error:
> okay;
> > header and promptly notify the client that WebSocket2 negotiation failed.
>
> It seems to me that using https:// GET here is rather dangerous. Even with
> extra custom headers.
>
>
> -Ilari
>
Received on Saturday, 1 October 2016 19:19:18 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 1 October 2016 19:19:21 UTC