[html5] r5170 - [giow] (1) Update WebSocket DOS protection to handle proxies.
whatwg at whatwg.org
whatwg at whatwg.org
Tue Jul 20 15:55:15 PDT 2010
Author: ianh
Date: 2010-07-20 15:55:14 -0700 (Tue, 20 Jul 2010)
New Revision: 5170
Modified:
complete.html
source
Log:
[giow] (1) Update WebSocket DOS protection to handle proxies.
Modified: complete.html
===================================================================
--- complete.html 2010-07-16 03:23:41 UTC (rev 5169)
+++ complete.html 2010-07-20 22:55:14 UTC (rev 5170)
@@ -209,7 +209,7 @@
<header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG src=/images/logo></a></p>
<hgroup><h1>Web Applications 1.0</h1>
- <h2 class="no-num no-toc">Draft Standard — 16 July 2010</h2>
+ <h2 class="no-num no-toc">Draft Standard — 20 July 2010</h2>
</hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
<p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
<!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
@@ -72815,9 +72815,21 @@
is no more than one connection at a time running through the
following steps.</p>
+ <p>If the user agent cannot determine the IP address of the remote
+ host (for example because all communication is being done through
+ a proxy server that performs DNS queries itself), then the user
+ agent must assume for the purposes of this step that each host
+ name refers to a distinct remote host, but should instead limit
+ the total number of simultaneous connections that are not <a href=#websocket-connection-is-established title="WebSocket connection is established">established</a> to
+ a reasonably low number (e.g., in a Web browser, to the number of
+ tabs the user has open).</p>
+
<p class=note>This makes it harder for a script to perform a
denial of service attack by just opening a large number of
- WebSocket connections to a remote host.</p>
+ WebSocket connections to a remote host. A server can further
+ reduce the load on itself when attacked by making use of this by
+ pausing before closing the connection, as that will reduce the
+ rate at which the client reconnects.</p>
<p class=note>There is no limit to the number of <a href=#websocket-connection-is-established title="WebSocket connection is established">established</a>
WebSocket connections a user agent can have with a single remote
Modified: source
===================================================================
--- source 2010-07-16 03:23:41 UTC (rev 5169)
+++ source 2010-07-20 22:55:14 UTC (rev 5170)
@@ -81943,9 +81943,22 @@
is no more than one connection at a time running through the
following steps.</p>
+ <p>If the user agent cannot determine the IP address of the remote
+ host (for example because all communication is being done through
+ a proxy server that performs DNS queries itself), then the user
+ agent must assume for the purposes of this step that each host
+ name refers to a distinct remote host, but should instead limit
+ the total number of simultaneous connections that are not <span
+ title="WebSocket connection is established">established</span> to
+ a reasonably low number (e.g., in a Web browser, to the number of
+ tabs the user has open).</p>
+
<p class="note">This makes it harder for a script to perform a
denial of service attack by just opening a large number of
- WebSocket connections to a remote host.</p>
+ WebSocket connections to a remote host. A server can further
+ reduce the load on itself when attacked by making use of this by
+ pausing before closing the connection, as that will reduce the
+ rate at which the client reconnects.</p>
<p class="note">There is no limit to the number of <span
title="WebSocket connection is established">established</span>
More information about the Commit-Watchers
mailing list