W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2008

[whatwg] TCPConnection feedback

From: Philipp Serafin <phil127@gmail.com>
Date: Wed, 18 Jun 2008 23:26:37 +0200
Message-ID: <f042876c0806181426y74d7edc9q4677e6b84093cbab@mail.gmail.com>
> Still I do not believe it should have a specific protocol.

I think a major problem with raw TCP connections is that they would be
the nightmare of every administrator. If web pages could use every
sort of homebrew protocol on all possible ports, how could you still
sensibly configure a firewall without the danger of accidentally
disabling mary sue grandmother's web application?

Also keep in mind the issue list Ian brought up in the other mail.
Things like URI based adressing and virtual hosting would not be
possible with raw TCP. That would make this feature a lot less useable
for authors that do not have full access over their server, like in
shared hosting situations, for example.

> [If a] protocol is decided on, and it is allowed to connect to any IP-address
> - then DDOS attacks can still be performed: If one million web
> browsers connect to any port on a single server, it does not matter
> which protocol the client tries to communicate with. The server will
> still have problems.

Couldn't this already be done today, though? You can already today
connect to an arbitrary server on an arbitrary port using forms,
<img>, <script src=""> and all other references that cannot be
cross-domain protected for backwards compatibillity reasons. The whole
hotlinking issue is basically the result of that.
How would WebSocket connections be more harmful than something like

  var img = new Image();
  img.src = "http://victim.example.com/" + generateLongRandomString();
}, 1000);

for example would?
Received on Wednesday, 18 June 2008 14:26:37 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:03 UTC