Re: [whatwg/fetch] Stop saying WebSocket auth is disallowed (#761) from Adam Rice on 2018-06-15 (public-webapps-github@w3.org from June 2018)

From: Adam Rice <notifications@github.com>
Date: Fri, 15 Jun 2018 07:10:19 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/761/review/129178610@github.com>

ricea commented on this pull request.



> @@ -6301,12 +6301,11 @@ therefore not shareable, a WebSocket connection is very close to identical to an
 <p><dfn>Fail the WebSocket connection</dfn> and <dfn>the WebSocket connection is established</dfn>
 are defined by The WebSocket Protocol. [[!WSP]]
 
-<p class=warning>The reason redirects are not followed, HTTP authentication will not function, and
-this handshake is generally restricted is because that could introduce serious security problems in

Okay, I've done my analysis of the restrictions. It does match pretty closely to Chrome's implementation.I will add back the "generally restricted" text. The 401 behaviour described by the standard is odd, but maybe we should discuss that elsewhere.

--

> Let request be a new [request](https://fetch.spec.whatwg.org/#concept-request), whose [url](https://fetch.spec.whatwg.org/#concept-request-url) is requestURL, [client](https://fetch.spec.whatwg.org/#concept-request-client) is client, [service-workers mode](https://fetch.spec.whatwg.org/#request-service-workers-mode) is "none", [referrer](https://fetch.spec.whatwg.org/#concept-request-referrer) is "no-referrer", [synchronous flag](https://fetch.spec.whatwg.org/#synchronous-flag) is set, [mode](https://fetch.spec.whatwg.org/#concept-request-mode) is "websocket", [credentials mode](https://fetch.spec.whatwg.org/#concept-request-credentials-mode) is "include", [cache mode](https://fetch.spec.whatwg.org/#concept-request-cache-mode) is "no-store", and [redirect mode](https://fetch.spec.whatwg.org/#concept-request-redirect-mode) is "error".

[service-workers mode](https://fetch.spec.whatwg.org/#request-service-workers-mode) is "none" -- No service workers will get events for this fetch.

 [referrer](https://fetch.spec.whatwg.org/#concept-request-referrer) is "no-referrer", -- No "Referer:" header is sent in the request

 [mode](https://fetch.spec.whatwg.org/#concept-request-mode) is "websocket" -- No preflight. "Origin:" header is included. "Obtaining a WebSocket connection" is used.

[credentials mode](https://fetch.spec.whatwg.org/#concept-request-credentials-mode) is "include" -- cookies are sent. Authorization header is set if known to be needed. On 401 response we maybe prompt for credentials? Or not, because "request's [window](https://fetch.spec.whatwg.org/#concept-request-window) is an [environment settings object](https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object)," is not true?

[cache mode](https://fetch.spec.whatwg.org/#concept-request-cache-mode) is "no-store", adding "Pragma: no-cache", and "Cache-Control: no-cache" to header list.

> If response is a [network error](https://fetch.spec.whatwg.org/#concept-network-error) or its [status](https://fetch.spec.whatwg.org/#concept-response-status) is not 101, [fail the WebSocket connection](https://fetch.spec.whatwg.org/#fail-the-websocket-connection).

Effectively bans any status except for 401, 407 and 101.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/761#discussion_r195747178

Received on Friday, 15 June 2018 14:10:46 UTC