W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2008

[whatwg] WebSocket support in HTML5

From: Richard's Hotmail <maher_rj@hotmail.com>
Date: Sat, 27 Sep 2008 14:00:27 +0800
Message-ID: <BAY131-DAV12B108B973B7C558364B17FB460@phx.gbl>
Hi Shannon,

[It's hard to determine the substance of your complaint. It appears you don't really understand the Java, Flex or Silverlight implementations. They are all quite restrictive, just in different ways:]

Perhaps but they do not place restrictions/preconditions on the content and format of what goes up and down the socket! 

[* Java raises a security exception unless the user authorises the socket using an ugly and confusing popup security dialog]

Oh really? Vista settings? New with Java 6_10? You may recall that in my previous post, I gave links to two examples of a Java Applet that uses TCP Sockets to communicate back to the codebase: -

> http://manson.vistech.net/t3$examples/demo_client_flex.html
> http://manson.vistech.net/t3$examples/demo_client_web.html
> 
> In both cases the Username is TIER3_DEMO and the password is QUEUE.
> 
> Obviously, you can "view source" for the HTML and Javascript and the Java
> Applet and MXML source can be found at
> http://manson.vistech.net/t3$examples/

Which one(s) raised the pop-up dialog and on what Browser/OS/Settings?

[* Flex and Silverlight requires the remote server or device also run a webserver (to serve crossdomain.xml). Flex supports connections ONLY to port numbers higher than 1024.]

Sure, and Silverlight will only let you connect to a very narrow range of port numbers. There are many restrictions and idiosyncrasies but, again, not on content. Look I don't like the fact that Flex doesn't support UDP, or connection timeouts, or the OOB character which is why I personally use Java Sockets and the FABridge to channel data too/from Flex for presentation; but I'd much rather do it straight from HTML/Javascript/WebSockets.

[The crossdomain files for each platform have different filenames and appear to already be partly incompatible between the two companies, hardly a "standard".]

Unlike one of the many standards (and numerous implementations of) which can be found with HTML, DOM, Javascript. . .please!

[As someone who works in an ISP I assure you this is an incorrect assumuption. Many ISPs run additional services on their webserver, such as databases and email, to save rack hosting costs or for simplicity or security reasons. I would not want one of our virtual hosting customers authorising web visitors access to those services.]

Different strokes for different folks eh? One size not necessarily fitting all? Everyone else not in your boat?

[It is also fundamentally flawed to assume services on ports greater than 1024 are automatically "safe".]

I certainly agree, but if JAR or SWF file is connecting back to the codebase/same-origin then what is the problem? Or if the System Manager at the target node has authorized connections from Applets hosted on one of his seperate sub-domains then what is the risk in that? (Apart from him perhaps declaring his trust for code that he simply shouldn't)?

[Both Silverlight and Flash/Flex are fundamentally flawed since they run on the assumption that a file hosted on port 80 is an authorative security policy for a whole server.]

Maybe port level granularity would have been a useful configuration option. But for two products that you have deemed fundamentally flawed, they have gained a fair bit of traction. (And, unlike WebSockets, they're out there. For better or worse.)

[These companies chose convienience over security, which quite frankly is why their software is so frequently exploited. ]

Again, unlike the rock-solid, vulnerability-devoid HTTP, HTML, DOM, Javascript. . .?

[However that's between them and their customers, this group deals with standards that must be acceptable to the web community at large.]

Presumably the relevance of these "standards" is also of some issue to "the web community at large"? 

Anyway, good luck with that Genie/Bottle standard. (Put it in formaldehyde and it'll sell :-)

[If you are worried about the complexity of implementing the server end of the service I can't see why, it's about 3-6 lines of output and some reasonably straight-forward text parsing. It could easily be done with a wrapper for existing services.]

Yes, I agree it's more inconvenient than debilitating, but needlessly so.

[Other than that it behaves as an asynchronous binary TCP socket. What exactly are you concerned about?]

Other than that, nothing.

Cheers Richard Maher
  ----- Original Message ----- 
  From: Shannon 
  To: Richard's Hotmail 
  Cc: WHAT working group 
  Sent: Monday, September 22, 2008 12:09 PM
  Subject: Re: [whatwg] WebSocket support in HTML5




  Richard's Hotmail wrote: 

    My particular beef is with the intended WebSocket support, and specifically the restrictive nature of its implementation. I respectfully, yet forcefully, suggest that the intended implementation is complete crap and you'd do better to look at existing Socket support from SUN Java, Adobe Flex, and Microsoft Silverlight before engraving anything into stone! What we need (and is a really great idea) is native HTML/JavaScript support for Sockets - What we don't need is someone re-inventing sockets 'cos they think they can do it better.

    Anyway I find it difficult to not be inflammatory so I'll stop now, but please look to the substance of my complaint (and the original post in comp.lang.JavaScript attached below) and at least question why it is that you are putting all these protocol restriction on binary socket support.
  It's hard to determine the substance of your complaint. It appears you don't really understand the Java, Flex or Silverlight implementations. They are all quite restrictive, just in different ways:

  * Java raises a security exception unless the user authorises the socket using an ugly and confusing popup security dialog
  * Flex and Silverlight requires the remote server or device also run a webserver (to serve crossdomain.xml). Flex supports connections ONLY to port numbers higher than 1024. The crossdomain files for each platform have different filenames and appear to already be partly incompatible between the two companies, hardly a "standard".

  Both Silverlight and Flash/Flex are fundamentally flawed since they run on the assumption that a file hosted on port 80 is an authorative security policy for a whole server. As someone who works in an ISP I assure you this is an incorrect assumuption. Many ISPs run additional services on their webserver, such as databases and email, to save rack hosting costs or for simplicity or security reasons. I would not want one of our virtual hosting customers authorising web visitors access to those services. It is also fundamentally flawed to assume services on ports greater than 1024 are automatically "safe".

  These companies chose convienience over security, which quite frankly is why their software is so frequently exploited. However that's between them and their customers, this group deals with standards that must be acceptable to the web community at large.

  The current approach the HTML spec is taking is that that policy files are essentially untrustworthy so the service itself must arbitrate access with a handshake. Most of the details of this handshake are hidden from the Javascript author so your concerns about complexity seem unjustified. If you are worried about the complexity of implementing the server end of the service I can't see why, it's about 3-6 lines of output and some reasonably straight-forward text parsing. It could easily be done with a wrapper for existing services.

  Other than that it behaves as an asynchronous binary TCP socket. What exactly are you concerned about?

  Shannon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080927/ad770a55/attachment.htm>
Received on Friday, 26 September 2008 23:00:27 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:05 UTC