- From: Kornel Lesinski <kornel@ldreams.net>
- Date: Thu, 26 May 2005 20:58:35 +0100
> The client is polling the server. And often a new TCP > connection is created (and later tore down) each time the server is > polled. (Which, IMO, is bad.) HTTP/1.1 uses persistent connections by default. If you set long keepalive time on your webserver, chances are that all requests are going to be done over same TCP/IP connection. To have your own connections you'd have to use other port than 80 and that may be disallowed on many restricted systems. If user navigates to the next page, browser will destroy your JS objects and close their connections. That may result in worse performance than with HTTP connection that is kept alive between pages. Even if connections are limited to the same host, you couldn't safely serve anything else on it. Spammers might use numerous HTML-injection techniques to send spam using other people's computers, and this may get much worse if host restriction fails. From past experience of hundreds of cross-site scripting vulnerabilities, you can be sure that this will happen sooner or later. BTW: There's a hack that lets you get data from server without polling - use iframe, start sending its contents and don't close connection - keep sending <script> elements one by one. -- pozdrawiam, Kornel Lesinski
Received on Thursday, 26 May 2005 12:58:35 UTC