[whatwg] Why deflate-stream is required to be enabled by the WebSocket API?

On Tue, 19 Jul 2011, Takeshi Yoshino wrote:
> 
> Use of deflate-stream is now mandatory in API spec. I think this kind of 
> requirement is useless. How about leave it up to implementors' decision? 

Well we don't want optional features, so it's either in or out.


> I think this requirement doesn't really help us enforce endpoints
> initiate/accept WebSocket with the same configuration. Because
> 
> - non-browser UAs are free to be implemented without deflate-stream

Non-browser clients of Web Sockets are going to be comparatively rare and 
will not have the market power to affect de-facto requirements. So for 
the purpose of the API, they are irrelevant.


> - server developers would see/care only the wire protocol spec

Server developers are only going to care about what browsers need, not 
what specs say.


> So, server developers would simply make their implementation accept both 
> requests with and without deflate-stream, I think.

It's fine if they do.

We just need to make sure they don't require it to be supported, or 
require it to not be supported, and thus force us into one or the other. 
The simplest way to prevent that is to make sure all the browsers act the 
same.


> It's not likely that server implementors are influenced by "the 
> WebSocket API" and have their server check if a UA is browser or not and 
> reject requests w/o deflate-stream.

Not intentionally, maybe, but it is most definitely going to happen.


> The only people who benefit from this requirement is those who implement 
> a server only for their own use and are not interested in serving 
> non-browser clients.

That will likely be the majority of implementors.


On Wed, 20 Jul 2011, Bjoern Hoehrmann wrote:
> 
> The deflate-stream extension, when used for browser to server messages 
> allows an attacker to put whatever bytes he likes on the wire, after a 
> bit of unpredictable junk. Browser vendors were pretty opposed to that 
> for the normal protocol without extensions, and they were opposed to 
> having some way to make browsers send messages "unmasked"; so it would 
> be very odd for browser vendors to implement the extension. And by the 
> looks of it, the hybi Working Group may well drop deflate-stream now. 
> See <http://www.ietf.org/mail-archive/web/hybi/current/msg07093.html> 
> and <http://www.ietf.org/mail-archive/web/hybi/current/msg07581.html>.

I've changed the spec to make the extension disallowed rather than 
required.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 27 July 2011 13:37:33 UTC