- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Wed, 20 Jul 2011 20:49:52 +0200
* Takeshi Yoshino wrote: >Use of deflate-stream is now mandatory in API spec. I think this kind of >requirement is useless. How about leave it up to implementors' decision? >http://www.w3.org/Bugs/Public/show_bug.cgi?id=12917 The deflate-stream extension, when used for browser to server messages allows an attacker to put whatever bytes he likes on the wire, after a bit of unpredictable junk. Browser vendors were pretty opposed to that for the normal protocol without extensions, and they were opposed to having some way to make browsers send messages "unmasked"; so it would be very odd for browser vendors to implement the extension. And by the looks of it, the hybi Working Group may well drop deflate-stream now. See <http://www.ietf.org/mail-archive/web/hybi/current/msg07093.html> and <http://www.ietf.org/mail-archive/web/hybi/current/msg07581.html>. -- Bj?rn H?hrmann ? mailto:bjoern at hoehrmann.de ? http://bjoern.hoehrmann.de Am Badedeich 7 ? Telefon: +49(0)160/4415681 ? http://www.bjoernsworld.de 25899 Dageb?ll ? PGP Pub. KeyID: 0xA4357E78 ? http://www.websitedev.de/
Received on Wednesday, 20 July 2011 11:49:52 UTC