W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2018

Re: Ben Campbell's Yes on draft-ietf-httpbis-h2-websockets-06: (with COMMENT)

From: Ben Campbell <ben@nostrum.com>
Date: Mon, 11 Jun 2018 20:44:09 -0500
Message-Id: <BE5375BA-F4BE-438D-AB89-B54D67F2073D@nostrum.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-h2-websockets@ietf.org, Mark Nottingham <mnot@mnot.net>, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
To: Patrick McManus <pmcmanus@mozilla.com> 


> On Jun 10, 2018, at 6:50 PM, Patrick McManus <pmcmanus@mozilla.com> wrote:
> 
> 
> 
> On Thu, Jun 7, 2018 at 5:01 PM, Ben Campbell <ben@nostrum.com> wrote:
> 
> 
> > On Jun 7, 2018, at 3:13 AM, Patrick McManus <pmcmanus@mozilla.com> wrote:
> >
> > Hi Ben, thanks for the review -
> >
> >
> > On Wed, Jun 6, 2018 at 9:36 PM, Ben Campbell <ben@nostrum.com> wrote:
> >
> > Substantive:
> > §5: Is the scheme pseudo-header expected to match the security status of the
> > existing connection?
> >
> >
> > 7540 indicates the security requirements for carrying https or http schemes, which conveniently are the schemes used by this draft.
> >
> 
> Okay, let me check my understanding here.
> 
> If I want to setup a tunnel for “wss” , :scheme must be https, and that’s only possible if the connection for the stream is running over TLS.
> 
> right
> 
> And you are also disallowed to setup a tunnel for “ws” if the stream is running over a connection setup for HTTPS?
> 
> ws uses the http :scheme, and the rules for doing that with TLS and h2 are set by RFC 8164 if a client really wants to. In most cases though they will just continue to use http/1 as that's what's normal for http:// resources.

Ah, got it. I think it would be helpful for this draft to elaborate a bit on the relationships between the websocket scheme and the security properties of the channel when used with h2. I’m not looking for detail; just a few sentences to explain what you just explained to me.


> 
> 
> > The draft doesn't require that you use the connection that the markup was received on - though that's obviously desirable when possible.
> 
> I’m a bit confused by that statement. I understand this mechanism to upgrade an existing stream to WebSocket. How would you do that on a different connection?
> 
> 
> The term upgrade is a bit confusing, but it is inherited from 6455. Everything needs to start with http(s) and then be turned into (i.e. upgraded into) websockets. You can do that with a new http connection. (the term upgrade comes from the h1 request header named upgrade to this in an h1 context)

I think this part is now academic, and should not delay progressing the document. But for my own education...

Thinking about CONNECT in the general case: When you say “new http connection” do you mean a new connection between the client and the proxy or server, or a new connection between a proxy and a server resulting from CONNECT?

Thanks!

Ben.
Received on Tuesday, 12 June 2018 01:44:45 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:59 UTC