- From: Richard's Hotmail <maher_rj@hotmail.com>
- Date: Wed, 29 Oct 2008 17:52:02 +0800
Hear! Hear! ----- Original Message ----- From: "Shannon" <shannon@arc.net.au> To: "Anne van Kesteren" <annevk at opera.com> Cc: "WHATWG" <whatwg at whatwg.org> Sent: Tuesday, September 30, 2008 12:59 PM Subject: Re: [whatwg] WebSocket websocket-origin > Anne van Kesteren wrote: > > What is the reason for doing literal comparison on the > > websocket-origin and websocket-location HTTP headers? Access Control > > for Cross-Site Requests is currently following this design for > > access-control-allow-origin but sicking is complaining about so maybe > > it should be URL-without-<path> comparison instead. (E.g., then > > http://example.org and http://example.org:80 would be equivalent.) > > > > > I think the temptation to standardise features like access control > defeats the point of websockets. Since things like access control and > sessions can be readily implemented via CGI interfaces it seems implied > that the whole point of websockets is to provide "lightweight" services. > If the service actually needs something like this then the author can > perform the check post-handshake using any method they feel like. I > don't really feel strongly one way or the other about this particular > header but I'm concerned about the slippery-slope of complicating the > HTTP handshake to the point where you might as well be using CGI. Maybe > the standard should simply recommend sending the header but make no > requirement about how it is parsed. That way the service itself can > decide whether the check is even necessary and if so whether it should > be strict or loose or regex-based without the client automatically > hanging up the connection. > > Shannon >
Received on Wednesday, 29 October 2008 02:52:02 UTC