W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2008

[whatwg] WebSocket websocket-origin

From: Richard's Hotmail <maher_rj@hotmail.com>
Date: Wed, 29 Oct 2008 17:52:02 +0800
Message-ID: <BAY131-DAV27D3C70E8E574689B3B69FB260@phx.gbl>
Hear! Hear!

----- Original Message ----- 
From: "Shannon" <shannon@arc.net.au>
To: "Anne van Kesteren" <annevk at opera.com>
Cc: "WHATWG" <whatwg at whatwg.org>
Sent: Tuesday, September 30, 2008 12:59 PM
Subject: Re: [whatwg] WebSocket websocket-origin


> Anne van Kesteren wrote:
> > What is the reason for doing literal comparison on the 
> > websocket-origin and websocket-location HTTP headers? Access Control 
> > for Cross-Site Requests is currently following this design for 
> > access-control-allow-origin but sicking is complaining about so maybe 
> > it should be URL-without-<path> comparison instead. (E.g., then 
> > http://example.org and http://example.org:80 would be equivalent.)
> >
> >
> I think the temptation to standardise features like access control 
> defeats the point of websockets. Since things like access control and 
> sessions can be readily implemented via CGI interfaces it seems implied 
> that the whole point of websockets is to provide "lightweight" services. 
> If the service actually needs something like this then the author can 
> perform the check post-handshake using any method they feel like. I 
> don't really feel strongly one way or the other about this particular 
> header but I'm concerned about the slippery-slope of complicating the 
> HTTP handshake to the point where you might as well be using CGI. Maybe 
> the standard should simply recommend sending the header but make no 
> requirement about how it is parsed. That way the service itself can 
> decide whether the check is even necessary and if so whether it should 
> be strict or loose or regex-based without the client automatically 
> hanging up the connection.
> 
> Shannon
> 
Received on Wednesday, 29 October 2008 02:52:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:44 UTC