[whatwg] Why deflate-stream is required to be enabled by the WebSocket API?

* Takeshi Yoshino wrote:
>Use of deflate-stream is now mandatory in API spec. I think this kind of
>requirement is useless. How about leave it up to implementors' decision?
>http://www.w3.org/Bugs/Public/show_bug.cgi?id=12917

The deflate-stream extension, when used for browser to server messages
allows an attacker to put whatever bytes he likes on the wire, after a
bit of unpredictable junk. Browser vendors were pretty opposed to that
for the normal protocol without extensions, and they were opposed to
having some way to make browsers send messages "unmasked"; so it would
be very odd for browser vendors to implement the extension. And by the
looks of it, the hybi Working Group may well drop deflate-stream now.
See <http://www.ietf.org/mail-archive/web/hybi/current/msg07093.html>
and <http://www.ietf.org/mail-archive/web/hybi/current/msg07581.html>.
-- 
Bj?rn H?hrmann ? mailto:bjoern at hoehrmann.de ? http://bjoern.hoehrmann.de
Am Badedeich 7 ? Telefon: +49(0)160/4415681 ? http://www.bjoernsworld.de
25899 Dageb?ll ? PGP Pub. KeyID: 0xA4357E78 ? http://www.websitedev.de/ 

Received on Wednesday, 20 July 2011 11:49:52 UTC