[whatwg] Implementation of a good HTTPSocket (TCP-socket) from Philipp Serafin on 2008-06-19 (public-whatwg-archive@w3.org from June 2008)

From: Philipp Serafin <phil127@gmail.com>
Date: Thu, 19 Jun 2008 03:15:51 +0200
Message-ID: <f042876c0806181815m338706fcwfe153d59df440c50@mail.gmail.com>

On Thu, Jun 19, 2008 at 12:46 AM, Frode B?rli <frode at seria.no> wrote:

> Web pages should only be allowed to access other servers when the
> script has been digitally signed, and when the user has agreed to
> giving the script elevated privileges - or there should be a
> certificate on the origin server which is checked against DNS records
> for each server that the script attempts to connect to.

What prevents a malicious site from simply getting their own certificate?
As for user prompts, I think we have seen how well that works with
IE's ActiveX controls. I fear malicious sites would just put up a
"Click 'yes' in the next dialog to continue" message, and we're back
to square one.

DNS records sound like a good idea though.

> So what we want is a http based protocol which allow the client to
> continue communicating with the script that handles the initial
> request.

I absolutely agree that this would be the best way. However, couldn't
we use Michaels proposal for that? It seems to solve the same problems
and is actually compliant HTTP (in theory at least).

I find the SessionID header a very good idea though.What are the
thoughts on that?

I'm sorry if that has already been discussed, but if we use HTTP, why
can't we use the Access Control spec as an "opt in mechanism" that is
a little easier to implement than DNS? If you modify the behaviour a
little, you could even use it against DDOS attacks:

"Counter suggestion": When a WebSocket objects attempts to connect,
perform Access Control checks the way you would for POST requests.
If the check fails and if the server response contains an
Access-Control-Max-Age header, agents must immediately close the
connection and must not open a connection to that resource again (or,
if Access-Control-Policy-Path is present, to any resource specified)
until the specified time has elapsed.
That way, administrators that are hit by a DDOS can simply put

Access-Control: allow <*> exclude <evilsite.example.com>
Access-Control-Max-Age: 86400
Access-Control-Policy-Path: /

in their server headers and the stream should relatively quickly slow
down to a trickle.

What do you think?

With best regards,
Philipp Serafin

Received on Wednesday, 18 June 2008 18:15:51 UTC