- From: Dave Cridland <dave@cridland.net>
- Date: Tue, 07 Dec 2010 09:42:05 +0000
- To: Maciej Stachowiak <mjs@apple.com>, Server-Initiated HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>
On Mon Dec 6 23:27:02 2010, Maciej Stachowiak wrote: > I'd like to see more detail on the data than is found in the paper, > but it seems to show a real-world hazard with use of Upgrade, since > many intermediaries do not understand it and at least a few are > confused into treating subsequent traffic as additional HTTP > requests and responses. That's a subtle misread of the paper. The paper shows that many intermediaries treat any traffic as HTTP requests and responses until they find a CONNECT, after which they treat the traffic as opaque except in a tiny minority of cases (what, 4 out of 54,000?). The paper makes no stance on whether Upgrade itself is problematic, just whether CONNECT is sufficient to break the intermediaries' assumptions. Hence my suggestion that an ideal solution is to have the initial traffic from the client within the websocket appear to be a CONNECT (albeit, a deliberately broken one akin to Adam et al's paper). What this results in is in formal terms, an Upgrade to Websocket happens, whereas to a naïve third party intermediary, there is a GET or POST followed by a CONNECT. No specifications were harmed in the making of this suggestion... Dave. -- Dave Cridland - mailto:dave@cridland.net - xmpp:dwd@dave.cridland.net - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
Received on Tuesday, 7 December 2010 09:42:45 UTC