W3C home > Mailing lists > Public > public-html@w3.org > July 2008

Re: websocket HTTP response parsing

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 7 Jul 2008 21:31:08 +0000 (UTC)
To: Julian Reschke <julian.reschke@gmx.de>
Cc: "public-html@w3.org" <public-html@w3.org>
Message-ID: <Pine.LNX.4.62.0807072126160.11210@hixie.dreamhostps.com>

On Mon, 7 Jul 2008, Julian Reschke wrote:
> Ian Hickson wrote:
> > We can't. If the handshake occurs after the first byte sent over the 
> > connection, it would be far too easy for someone to smuggle in a fake 
> > handshake.
> > 
> > Furthermore, one of our core requirements is the ability to implement 
> > a Web Socket Protocol server without any HTTP server involvement, and 
> > so we can't build this on HTTP.
> I was asking to *relax* the server requirements (by allowing the server 
> to return variants of the response that are equivalent from an HTTP 
> point of view) -- how would that make a server implementation harder?

If you're not proposing building this on HTTP (i.e. the server is just to 
pretend to do an HTTP response and then do the handshake instead of the 
HTTP response being the handshake) then it's not more complicated, it's 
just longer. I had assumed you wanted the server to properly handle HTTP.

However, it's still a non-starter. Anything that doesn't do the handshake 
starting with the first byte is far too likely to be spoofable.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 7 July 2008 21:32:08 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:44:33 UTC