- From: Robert Rothenberg <robrwo@gmail.com>
- Date: Fri, 27 Jun 2025 19:00:06 +0100
- To: ietf-http-wg@w3.org
Looking at RFC 6455 on WebSockets, it says > The value of this header field MUST be a nonce consisting of a randomly selected 16-byte value that has been base64-encoded (see Section 4 of [RFC4648]). The nonce MUST be selected randomly for each connection. I am assuming this should use a CSPRNG to generate the random bytes. But as far as I can tell, there is nothing in the RFC that explicitly says that about this field. Does it matter how those bytes are generated, or was this an oversight? Note that the discussion of the masking key says "The masking key needs to be unpredictable; thus, the masking key MUST be derived from a strong source of entropy, and the masking key for a given frame MUST NOT make it simple for a server/proxy to predict the masking key for a subsequent frame." Regards, Robert
Received on Friday, 27 June 2025 18:12:13 UTC