- From: Frode Børli <frode@seria.no>
- Date: Tue, 22 Jul 2008 00:10:00 +0200
I have some feedback based on the discussions i participated in earlier. Since I am on vacation I cannot give a proper proposal but I think the following should be considered: 1. Allow pure TCPSocket using this method: var s = new TCPSocket("/tcpsocket.xml"); The tcpsocket.xml-file must have a structure similar to this: <websocket> <host>hostname/ip-address</host> <port>portnumber</port> <allow-origin>*</allow-origin> </websocket> Clarifications: host: if specified and if the host is another host than the host where tcpsocket.xml was downloaded from - a secure algorithm should be applied, for example using reverse dns lookups on the target IP-address and inspecting the TXT-records of the host name that the reverse lookup returned. port: any port allow-origin: simple method of limiting who can connect to the port specified in the tcpsocket.xml-file. For example this could be the complete url of the javascript file or it could contain wildcards. Advantages: - Easy to adopt today on existing servers and can easily utilize for example existing IRC-servers etc without modifications. - Enables cross site usage (script on www.example.com can connect to Yahoo by downloading www.yahoo.com/websocket.xml) - Requires access to place files on the targeted server - so it is not possible by simple cross site scripting attacks. - A simple perl script can dynamically generate the xml-file above. - Allows connection to SMTP servers only if the server owner intends to allow it. 2. WebSockets should use previous work from RFC 2817 (http://www.ietf.org/rfc/rfc2817.txt). Web servers such as Apache must then be extended to support websockets, but it should be very easy for a developer to start using websockets. It would not require an extra application listening on a separate port, and it would by definition work in a virtual hosting environment. Since the request is to an ordinary URL, the webserver will direct the request to a file or script in the web root for the virtual host and this script can decide to send an 426 Upgrade Required response, or it can send 401 Unauthorised if the client sent the wrong Origin headers.
Received on Monday, 21 July 2008 15:10:00 UTC