[whatwg/fetch] Refactoring WebSocket connections (#1243) from Anne van Kesteren on 2021-05-26 (public-webapps-github@w3.org from May 2021)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 26 May 2021 09:41:41 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1243@github.com>

The objective is to make WebSocket connections hook into "obtain a connection" to make it clear what logic is shared.

There are two problems:

1. Step 2 of https://datatracker.ietf.org/doc/html/rfc6455#section-4.1.
1. Defining this properly requires an abstract notion of turning a domain into an IP address. We might need that anyway for features such as `dns-prefetch`, but I recall @sleevi hoping we could avoid it.
2. The side table might also have to be partitioned to be completely safe. This would not significantly widen the DOS scope as the attacker would be constrained by the number of tabs the user has open where the top-level site is unique and the attacker is embedded. An argument could be made that the privacy attack (not the DOS attack) is nearly indistinguishable from network jitter however and not worth the effort.
2. Requiring a dedicated connection, but only for HTTP/1. There are two approaches here:
1. Introduce a new parameter.
2. Turn the dedicated parameter into an enum: "not", "if-http1", "always". This would require slight tweaks to WebTransport. I slightly prefer this, but the alternative is acceptable to me as well.

We could side step some of the first problem by changing the monkey patching in "obtain a WebSocket connection", but that does not seem like a good long term solution.

This came out of a discussion in #1241 which had a rather optimistic-and-wrong take on what sharing more logic would mean. As I envision it now we would keep the "obtain a WebSocket connection" operation, but we'd pass it a partition key as well, inline the relevant bits from the RFC as outlined above, and make it use "obtain a connection".

If this seems like a good plan I will make time to work on this. (I would like to solve this before #889 and #1118.)

cc @ddragana @MattMenke2 @ricea @yutakahirano

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1243

Received on Wednesday, 26 May 2021 16:41:55 UTC