- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 20 Jul 2011 15:54:30 -0700
On Wed, Jul 20, 2011 at 11:49 AM, Bjoern Hoehrmann <derhoermi at gmx.net> wrote: > * Takeshi Yoshino wrote: >>Use of deflate-stream is now mandatory in API spec. I think this kind of >>requirement is useless. How about leave it up to implementors' decision? >>http://www.w3.org/Bugs/Public/show_bug.cgi?id=12917 > > The deflate-stream extension, when used for browser to server messages > allows an attacker to put whatever bytes he likes on the wire, after a > bit of unpredictable junk. Browser vendors were pretty opposed to that > for the normal protocol without extensions, and they were opposed to > having some way to make browsers send messages "unmasked"; so it would > be very odd for browser vendors to implement the extension. And by the > looks of it, the hybi Working Group may well drop deflate-stream now. > See <http://www.ietf.org/mail-archive/web/hybi/current/msg07093.html> > and <http://www.ietf.org/mail-archive/web/hybi/current/msg07581.html>. Isn't the obvious solution to both problems to apply compression before masking? Adam
Received on Wednesday, 20 July 2011 15:54:30 UTC