W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2009

[whatwg] spec comments (websocket)

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 13 Oct 2009 11:37:00 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0910131134140.25383@hixie.dreamhostps.com>
On Fri, 4 Sep 2009, Wenbo Zhu wrote:
>
> re: http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-40
> 1) section 6:  "User agents should not close the Web Socket connection
> arbitrarily."
> 
> Please clarify what "arbitrarily" means .. given there is no handshake 
> for close?

Arbitrarily here has its usual meaning, "Determined by chance, whim, or 
impulse, and not by necessity, reason, or principle".

The point being that the connection is only to be closed upon the request 
of the user of the Web Socket API, and not, e.g., based on a timer.


> 2) section 7: "Servers that only accept input from one origin can just 
> send back that value in the "WebSocket-Origin" header, without bothering 
> to check the client's value."
> 
> I suppose servers should still verify the (single) origin to ensure it 
> matches .. Yes, the server simple echoes back the received origin 
> thereafter.

No, the server need not check the origin in this case. The UA performs 
that check. (The UA can be trusted to perform that check to the same 
extent that the UA can be trusted to provide the correct Origin header.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 13 October 2009 04:37:00 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:18 UTC