- From: <bugzilla@jessica.w3.org>
- Date: Wed, 07 Dec 2011 20:12:55 +0000
- To: public-webapps@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=15104
Summary: In reply to: <p class="warning">Following HTTP
procedures here could introduce serious security
problems in a Web browser context. For example,
consider a host with a WebSocket server at one path
and an open HTTP redirector at another. Suddenl
Product: WebAppsWG
Version: unspecified
Platform: Other
URL: http://www.whatwg.org/specs/web-apps/current-work/#top
OS/Version: other
Status: NEW
Severity: normal
Priority: P3
Component: WebSocket API (editor: Ian Hickson)
AssignedTo: ian@hixie.ch
ReportedBy: contributor@whatwg.org
QAContact: member-webapi-cvs@w3.org
CC: mike@w3.org, public-webapps@w3.org
Specification: http://dev.w3.org/html5/websockets/
Multipage: http://www.whatwg.org/C#top
Complete: http://www.whatwg.org/c#top
Comment:
In reply to:
<p class="warning">Following HTTP procedures here could introduce
serious security problems in a Web browser context. For example,
consider a host with a WebSocket server at one path and an open
HTTP redirector at another. Suddenly, any script that can be given
a particular WebSocket URL can be tricked into communicating to
(and potentially sharing secrets with) any host on the Internet,
even if the script checks that the URL has the right hostname.</p>
It SHOULD be possible to get the information from HTTP Status Codes 4xx and
5xx, to provide the ability to return useful information to the client, for
example, a "400 Bad Request" response with the following message "WebSocket
Version 8 or greater is required".
Posted from: 189.239.8.169
User agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like
Gecko) Chrome/15.0.874.121 Safari/535.2
--
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Wednesday, 7 December 2011 20:12:57 UTC