[html5] r6148 - [giow] (0) Block redirects in WebSockets

whatwg at whatwg.org whatwg at whatwg.org
Tue May 24 16:16:42 PDT 2011


Author: ianh
Date: 2011-05-24 16:16:41 -0700 (Tue, 24 May 2011)
New Revision: 6148

Modified:
   complete.html
   source
Log:
[giow] (0) Block redirects in WebSockets

Modified: complete.html
===================================================================
--- complete.html	2011-05-23 21:29:13 UTC (rev 6147)
+++ complete.html	2011-05-24 23:16:41 UTC (rev 6148)
@@ -239,7 +239,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1>Web Applications 1.0</h1>
-    <h2 class="no-num no-toc">Living Standard — Last Updated 23 May 2011</h2>
+    <h2 class="no-num no-toc">Living Standard — Last Updated 24 May 2011</h2>
    </hgroup><dl><dt>Multiple-page version:</dt>
     <dd><a href=http://www.whatwg.org/specs/web-apps/current-work/complete/>http://www.whatwg.org/specs/web-apps/current-work/complete/</a></dd>
     <dt>One-page version:</dt>
@@ -78898,6 +78898,21 @@
     the resource name, with <var title="">protocols</var> as the
     (possibly empty) list of protocols, and with the <var title="">defer cookies</var> flag set. <a href=#refsWSP>[WSP]</a></p>
 
+    <p>When the user agent <i>validates the server's response</i> during
+    the "<span>establish a WebSocket connection</span>" algorithm, if
+    the status code received from the server is not 101 (e.g. it is a
+    redirect), the user agent must <span>fail the websocket
+    connection</span>.</p>
+
+    <p class=warning>Following HTTP procedures here could introduce
+    serious security problems in a Web browser context. For example,
+    consider a host with a WebSocket server at one path and an open
+    HTTP redirector at another. Suddenly, any script that can be given
+    a particular WebSocket URL can be tricked into communicating to
+    (and potentially sharing secrets with) any host on the Internet,
+    even if the script checks that the URL has the right hostname.</p>
+    <!-- http://www.ietf.org/mail-archive/web/hybi/current/msg06951.html -->
+
     <p class=note>If the "<span>establish a WebSocket
     connection</span>" algorithm fails, it triggers the "<span>fail
     the WebSocket connection</span>" algorithm, which then invokes
@@ -79198,8 +79213,8 @@
   WebSocket connection</span>. <a href=#refsWSP>[WSP]</a></p>
 
 
-  
 
+
   </div><!--data-component-->
 
 

Modified: source
===================================================================
--- source	2011-05-23 21:29:13 UTC (rev 6147)
+++ source	2011-05-24 23:16:41 UTC (rev 6148)
@@ -89547,6 +89547,21 @@
     title="">defer cookies</var> flag set. <a
     href="#refsWSP">[WSP]</a></p>
 
+    <p>When the user agent <i>validates the server's response</i> during
+    the "<span>establish a WebSocket connection</span>" algorithm, if
+    the status code received from the server is not 101 (e.g. it is a
+    redirect), the user agent must <span>fail the websocket
+    connection</span>.</p>
+
+    <p class="warning">Following HTTP procedures here could introduce
+    serious security problems in a Web browser context. For example,
+    consider a host with a WebSocket server at one path and an open
+    HTTP redirector at another. Suddenly, any script that can be given
+    a particular WebSocket URL can be tricked into communicating to
+    (and potentially sharing secrets with) any host on the Internet,
+    even if the script checks that the URL has the right hostname.</p>
+    <!-- http://www.ietf.org/mail-archive/web/hybi/current/msg06951.html -->
+
     <p class="note">If the "<span>establish a WebSocket
     connection</span>" algorithm fails, it triggers the "<span>fail
     the WebSocket connection</span>" algorithm, which then invokes
@@ -89928,7 +89943,7 @@
   WebSocket connection</span>. <a href="#refsWSP">[WSP]</a></p>
 
 
-  <!--END websocket-api-->
+<!--END websocket-api-->
 
   </div><!--data-component-->
 




More information about the Commit-Watchers mailing list