Re: [fetch] Define the WebSocket client handshake in terms of Fetch (#236) from Mike West on 2016-03-08 (public-webapps-github@w3.org from March 2016)

From: Mike West <notifications@github.com>
Date: Tue, 08 Mar 2016 09:35:31 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/pull/236/c193882269@github.com>

This looks good, thank you Anne.

Some thoughts:

1. How do you intend for this to play together with Service Workers? As written, we'd be exposing the initial request to the worker, which might give them an opportunity to do something unexpected.

2. It would be nice if the HSTS spec mentioned WebSockets. As is, I think the fact that Fetch upgrades the initial request from HTTP to HTTPS means that the WebSocket upgrade will automagically continue over a secure connection (because the scheme will be `https`, so `secure` will be `true` in "obtain a websocket connection").

3. We'll have to figure out what the CSP hook looks like, as `connect-src` looks for `ws:whatever` today. I think Fetch is fine here, as we're passing the whole request to CSP. 

Otherwise, LGTM.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/236#issuecomment-193882269

Received on Tuesday, 8 March 2016 17:36:01 UTC