Re: [hybi] workability (or otherwise) of HTTP upgrade

On Dec 1, 2010, at 10:01 AM, Adam Barth wrote:

> On Wed, Dec 1, 2010 at 9:45 AM, Roy T. Fielding <fielding@gbiv.com> wrote:
>> On Dec 1, 2010, at 1:30 AM, William A. Rowe Jr. wrote:
>>> On 11/26/2010 6:55 AM, Greg Wilkins wrote:
>>>> 
>>>> And do you get similar feeling to think about using the CONNECT method
>>>> to establish tunnels for arbitrary protocols?
>>> 
>>> CONNECT suffers from the same issues you identify is deploying a new port.
>>> Namely, http servers will reject those requests.  Leveraging CONNECT
>>> successfully would require additional HTTP-level authentication to identify
>>> users and prevent abuse (as most proxies do).  Restructuring the internet,
>>> whether it is adding a new port to unblock, or permitting specific classes
>>> of CONNECT traffic, would be a similar battle.
>> 
>> Perhaps more to the point, CONNECT is a method that is only allowed to be
>> sent to a client-side proxy server.  Deliberately sending it in other
>> HTTP messages would be a violation of its method semantics and the
>> HTTP/1.1 syntax (because its unusual target syntax is only allowed
>> when sent to a proxy).
> 
> That seems like a matter of perspective.  When opening a connection to
> a WebSocket server, can one not view the server as a proxy sever?

No, because the browser is not limiting such connections to a
configuration-selected proxy (hence, it is not equivalent from
a behavioral or organizational policy perspective, which is
where the name "proxy" came from originally and what drives the
selection and enforcement of proxy use within larger companies).

I don't have a problem with configured proxies being used via
a normal CONNECT tunnel to perform raw websockets access outside
a port-restricted firewall.  That would be a normal proxy
configuration (not intercepts).

....Roy

Received on Thursday, 2 December 2010 00:32:49 UTC