- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 13 Oct 2009 11:37:00 +0000 (UTC)
On Fri, 4 Sep 2009, Wenbo Zhu wrote: > > re: http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-40 > 1) section 6: "User agents should not close the Web Socket connection > arbitrarily." > > Please clarify what "arbitrarily" means .. given there is no handshake > for close? Arbitrarily here has its usual meaning, "Determined by chance, whim, or impulse, and not by necessity, reason, or principle". The point being that the connection is only to be closed upon the request of the user of the Web Socket API, and not, e.g., based on a timer. > 2) section 7: "Servers that only accept input from one origin can just > send back that value in the "WebSocket-Origin" header, without bothering > to check the client's value." > > I suppose servers should still verify the (single) origin to ensure it > matches .. Yes, the server simple echoes back the received origin > thereafter. No, the server need not check the origin in this case. The UA performs that check. (The UA can be trusted to perform that check to the same extent that the UA can be trusted to provide the correct Origin header.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 13 October 2009 04:37:00 UTC