Re: [hybi] workability (or otherwise) of HTTP upgrade from Mark Nottingham on 2010-12-06 (ietf-http-wg@w3.org from October to December 2010)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 7 Dec 2010 10:15:46 +1100
To: Roy T. Fielding <fielding@gbiv.com>
Cc: Adam Barth <ietf@adambarth.com>, "William A. Rowe Jr." <wrowe@rowe-clan.net>, Hybi HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <775DB33B-9FD3-4D25-AF55-B33463D6B9ED@mnot.net>

Right. Adam is talking about a gateway, not a proxy. 


On 02/12/2010, at 11:32 AM, Roy T. Fielding wrote:

> On Dec 1, 2010, at 10:01 AM, Adam Barth wrote:
> 
>> On Wed, Dec 1, 2010 at 9:45 AM, Roy T. Fielding <fielding@gbiv.com> wrote:
>>> On Dec 1, 2010, at 1:30 AM, William A. Rowe Jr. wrote:
>>>> On 11/26/2010 6:55 AM, Greg Wilkins wrote:
>>>>> 
>>>>> And do you get similar feeling to think about using the CONNECT method
>>>>> to establish tunnels for arbitrary protocols?
>>>> 
>>>> CONNECT suffers from the same issues you identify is deploying a new port.
>>>> Namely, http servers will reject those requests.  Leveraging CONNECT
>>>> successfully would require additional HTTP-level authentication to identify
>>>> users and prevent abuse (as most proxies do).  Restructuring the internet,
>>>> whether it is adding a new port to unblock, or permitting specific classes
>>>> of CONNECT traffic, would be a similar battle.
>>> 
>>> Perhaps more to the point, CONNECT is a method that is only allowed to be
>>> sent to a client-side proxy server.  Deliberately sending it in other
>>> HTTP messages would be a violation of its method semantics and the
>>> HTTP/1.1 syntax (because its unusual target syntax is only allowed
>>> when sent to a proxy).
>> 
>> That seems like a matter of perspective.  When opening a connection to
>> a WebSocket server, can one not view the server as a proxy sever?
> 
> No, because the browser is not limiting such connections to a
> configuration-selected proxy (hence, it is not equivalent from
> a behavioral or organizational policy perspective, which is
> where the name "proxy" came from originally and what drives the
> selection and enforcement of proxy use within larger companies).
> 
> I don't have a problem with configured proxies being used via
> a normal CONNECT tunnel to perform raw websockets access outside
> a port-restricted firewall.  That would be a normal proxy
> configuration (not intercepts).
> 
> ....Roy

--
Mark Nottingham   http://www.mnot.net/

Received on Monday, 6 December 2010 23:16:25 UTC