websocket; hixie: Block redirects in WebSockets (whatwg r6148)

websocket; hixie: Block redirects in WebSockets (whatwg r6148)

http://dev.w3.org/cvsweb/html5/websockets/Overview.html?r1=1.209&r2=1.210&f=h
http://html5.org/tools/web-apps-tracker?from=6147&to=6148

===================================================================
RCS file: /sources/public/html5/websockets/Overview.html,v
retrieving revision 1.209
retrieving revision 1.210
diff -u -d -r1.209 -r1.210
--- Overview.html 12 May 2011 07:08:49 -0000 1.209
+++ Overview.html 24 May 2011 23:16:46 -0000 1.210
@@ -211,7 +211,7 @@
 
    <h1>The WebSocket API</h1>
    
-   <h2 class="no-num no-toc" id="editor-s-draft-12-may-2011">Editor's Draft 12 May 2011</h2>
+   <h2 class="no-num no-toc" id="editor-s-draft-24-may-2011">Editor's Draft 24 May 2011</h2>
    <dl><dt>Latest Published Version:</dt>
     <dd><a href="http://www.w3.org/TR/websockets/">http://www.w3.org/TR/websockets/</a></dd>
     <dt>Latest Editor's Draft:</dt>
@@ -312,7 +312,7 @@
   </dl><p>The W3C <a href="http://www.w3.org/2008/webapps/">Web Applications
   Working Group</a> is the W3C working group responsible for this
   specification's progress along the W3C Recommendation track.
-  This specification is the 12 May 2011 Editor's Draft.
+  This specification is the 24 May 2011 Editor's Draft.
   <p>This specification is being developed in conjunction with an
   Internet Draft for a wire protocol, the WebSocket Protocol,
   available from the following location:<ul><li>WebSocket Protocol Internet-Draft: <a href="http://www.whatwg.org/specs/web-socket-protocol/">http://www.whatwg.org/specs/web-socket-protocol/</a></li>
@@ -489,6 +489,21 @@
     the resource name, with <var title="">protocols</var> as the
     (possibly empty) list of protocols, and with the <var title="">defer cookies</var> flag set. <a href="#refsWSP">[WSP]</a></p>
 
+    <p>When the user agent <i>validates the server's response</i> during
+    the "<span>establish a WebSocket connection</span>" algorithm, if
+    the status code received from the server is not 101 (e.g. it is a
+    redirect), the user agent must <span>fail the websocket
+    connection</span>.</p>
+
+    <p class="warning">Following HTTP procedures here could introduce
+    serious security problems in a Web browser context. For example,
+    consider a host with a WebSocket server at one path and an open
+    HTTP redirector at another. Suddenly, any script that can be given
+    a particular WebSocket URL can be tricked into communicating to
+    (and potentially sharing secrets with) any host on the Internet,
+    even if the script checks that the URL has the right hostname.</p>
+    
+
     <p class="note">If the "<span>establish a WebSocket
     connection</span>" algorithm fails, it triggers the "<span>fail
     the WebSocket connection</span>" algorithm, which then invokes

Received on Tuesday, 24 May 2011 23:18:01 UTC