W3C home > Mailing lists > Public > public-html@w3.org > July 2008

Re: websocket HTTP response parsing

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 07 Jul 2008 14:35:26 +0200
Message-ID: <48720D8E.3040708@gmx.de>
To: Ian Hickson <ian@hixie.ch>
CC: "public-html@w3.org" <public-html@w3.org>

Ian Hickson wrote:
> On Mon, 7 Jul 2008, Julian Reschke wrote:
>> "The requirement that the handshake not be one that an existing server 
>> can be tricked into sending".
> 
> One of the key aspects of this feature is that it not be abusable in the 
> sense of a hostile site connecting from the user's machine to services on 
> the internet or intranet that are not expecting machines under the control 
> of the author to connect to them.
> 
> For example, if a connection could be made from a Web page to an SMTP 
> server, then a hostile author could use this API to send spam.
> 
> Similarly, if a connection could be made to an HTTP server behind a 
> firewall, then a hostile author could obtain confidential data.
> 
> Or a hostile author could connect to an IRC server and cause the user's 
> machine to act as an IRC bot.
> 
> And so on.
> 
> The goal of the handshake is to make this impossible, by dropping the 
> connection if the remote host doesn't show a willingness to take part in 
> the Web Socket protocol, and a willingness to communicate with the page in 
> question, based on its origin (in the HTML5 sense).

OK, thanks for the explanation.

In this case I would advise to have that handshake *after* the websocket 
connection has been established (so in the case where this actually goes 
through a real HTTP server, *after* the 101 is returned). Keep in mind 
that there are other things that could go wrong, such as the server 
returning  the headers "Upgrade:" or "Connection:" in a different order, 
or interleaving them with other headers (such as "Date:").

>  ...

BR, Julian
Received on Monday, 7 July 2008 12:36:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:56 UTC