W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2011

[whatwg] Why deflate-stream is required to be enabled by the WebSocket API?

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 20 Jul 2011 20:49:52 +0200
Message-ID: <o27e27dud46p02bksugedm3cimsvt7pbt3@hive.bjoern.hoehrmann.de>
* Takeshi Yoshino wrote:
>Use of deflate-stream is now mandatory in API spec. I think this kind of
>requirement is useless. How about leave it up to implementors' decision?

The deflate-stream extension, when used for browser to server messages
allows an attacker to put whatever bytes he likes on the wire, after a
bit of unpredictable junk. Browser vendors were pretty opposed to that
for the normal protocol without extensions, and they were opposed to
having some way to make browsers send messages "unmasked"; so it would
be very odd for browser vendors to implement the extension. And by the
looks of it, the hybi Working Group may well drop deflate-stream now.
See <http://www.ietf.org/mail-archive/web/hybi/current/msg07093.html>
and <http://www.ietf.org/mail-archive/web/hybi/current/msg07581.html>.
Bj?rn H?hrmann ? mailto:bjoern at hoehrmann.de ? http://bjoern.hoehrmann.de
Am Badedeich 7 ? Telefon: +49(0)160/4415681 ? http://www.bjoernsworld.de
25899 Dageb?ll ? PGP Pub. KeyID: 0xA4357E78 ? http://www.websitedev.de/ 
Received on Wednesday, 20 July 2011 11:49:52 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC