[html5] r6161 - [giow] (0) Make it so that taking out all the streams temporarily doesn't kill a [...]
whatwg at whatwg.org
whatwg at whatwg.org
Tue May 31 15:12:45 PDT 2011
Author: ianh
Date: 2011-05-31 15:12:44 -0700 (Tue, 31 May 2011)
New Revision: 6161
Modified:
complete.html
index
source
Log:
[giow] (0) Make it so that taking out all the streams temporarily doesn't kill a PeerConnection object. Also, update the security section.
Modified: complete.html
===================================================================
--- complete.html 2011-05-31 20:32:14 UTC (rev 6160)
+++ complete.html 2011-05-31 22:12:44 UTC (rev 6161)
@@ -1005,8 +1005,10 @@
<li><a href=#obtaining-local-multimedia-content><span class=secno>9.2 </span>Obtaining local multimedia content</a></li>
<li><a href=#stream-api><span class=secno>9.3 </span>Stream API</a></li>
<li><a href=#peer-to-peer-connections><span class=secno>9.4 </span>Peer-to-peer connections</a></li>
- <li><a href=#the-data-stream><span class=secno>9.5 </span>The data stream</a></li>
- <li><a href=#security-considerations><span class=secno>9.6 </span>Security considerations</a></li>
+ <li><a href=#the-data-stream><span class=secno>9.5 </span>The data stream</a>
+ <ol>
+ <li><a href=#security-considerations><span class=secno>9.5.1 </span>Security considerations</a></ol></li>
+ <li><a href=#garbage-collection-0><span class=secno>9.6 </span>Garbage collection</a></li>
<li><a href=#event-definitions-0><span class=secno>9.7 </span>Event definitions</a></li>
<li><a href=#event-summary><span class=secno>9.8 </span>Event Summary</a></ol></li>
<li><a href=#workers><span class=secno>10 </span>Web workers</a>
@@ -1057,7 +1059,7 @@
<li><a href=#event-stream-interpretation><span class=secno>11.2.5 </span>Interpreting an event stream</a></li>
<li><a href=#notes><span class=secno>11.2.6 </span>Notes</a></li>
<li><a href=#eventsource-push><span class=secno>11.2.7 </span>Connectionless push and other features</a></li>
- <li><a href=#garbage-collection-0><span class=secno>11.2.8 </span>Garbage collection</a></li>
+ <li><a href=#garbage-collection-1><span class=secno>11.2.8 </span>Garbage collection</a></li>
<li><a href=#iana-considerations><span class=secno>11.2.9 </span>IANA considerations</a>
<ol>
<li><a href=#text/event-stream><span class=secno>11.2.9.1 </span><code>text/event-stream</code></a></li>
@@ -1069,7 +1071,7 @@
<li><a href=#feedback-from-the-protocol><span class=secno>11.3.3 </span>Feedback from the protocol</a>
<ol>
<li><a href=#event-definitions-2><span class=secno>11.3.3.1 </span>Event definitions</a></li>
- <li><a href=#garbage-collection-1><span class=secno>11.3.3.2 </span>Garbage collection</a></ol></ol></li>
+ <li><a href=#garbage-collection-2><span class=secno>11.3.3.2 </span>Garbage collection</a></ol></ol></li>
<li><a href=#web-messaging><span class=secno>11.4 </span>Cross-document messaging</a>
<ol>
<li><a href=#introduction-11><span class=secno>11.4.1 </span>Introduction</a></li>
@@ -74960,13 +74962,13 @@
<dt><dfn id=dom-peerconnection-active title=dom-PeerConnection-ACTIVE><code>ACTIVE</code></dfn> (numeric value 2)</dt>
- <dd>The ICE Agent has concluded ICE processing and media is streaming.</dd>
+ <dd>The ICE Agent has concluded ICE processing. If any media streams were successfully negotiated, any relevant media is streaming.</dd>
<dt><dfn id=dom-peerconnection-closed title=dom-PeerConnection-CLOSED><code>CLOSED</code></dfn> (numeric value 3)</dt>
<dd>Either the <code title=dom-PeerConnection-close><a href=#dom-peerconnection-close>close()</a></code> method has been
- invoked, or the other peer removed all the media streams, or the
- other peer has apparently abruptly stopped sending any media.</dd>
+ invoked, or the other peer has apparently abruptly stopped sending
+ any media.</dd>
</dl><p>When the <dfn id=dom-peerconnection title=dom-PeerConnection><code>PeerConnection()</code></dfn>
constructor is invoked, the user agent must run the following steps.
@@ -75158,8 +75160,8 @@
generate any candidates for media streams whose media descriptions
do not have a label attribute ("<code title="">a=label:</code>"). <a href=#refsICE>[ICE]</a> <a href=#refsSDP>[SDP]</a> <a href=#refsSDPLABEL>[SDPLABEL]</a></p>
- <p>When a user agent starts receiving media for a component an a
- candidate provided for that component by a
+ <p>When a user agent starts receiving media for a component and a
+ candidate was provided for that component by a
<a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE Agent</a>, the user agent
must follow these steps:</p>
@@ -75274,20 +75276,6 @@
object.</p>
<p>When a <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE Agent</a>
- completes ICE processing with no active media streams, the user
- agent must <a href=#queue-a-task>queue a task</a> that sets the
- <code><a href=#peerconnection>PeerConnection</a></code> object's
- <a href=#peerconnection-readiness-state><code>PeerConnection</code> readiness state</a> to <code title=dom-PeerConnection-CLOSED><a href=#dom-peerconnection-closed>CLOSED</a></code> (3) and then, if the
- <code><a href=#peerconnection>PeerConnection</a></code> object's
- <a href=#peerconnection-readiness-state><code>PeerConnection</code> readiness state</a> has ever
- reached the <code title=dom-PeerConnection-ACTIVE><a href=#dom-peerconnection-active>ACTIVE</a></code>
- (2) state, <a href=#fire-a-simple-event title="fire a simple event">fires a simple
- event</a> named <code title=event-stream-close>close</code> at the
- <code><a href=#peerconnection>PeerConnection</a></code> object, or otherwise <a href=#fire-a-simple-event title="fire a
- simple event">fires a simple event</a> named <code title=event-stream-error>error</code> at the <code><a href=#peerconnection>PeerConnection</a></code>
- object.</p>
-
- <p>When a <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE Agent</a>
restarts ICE processing for any reason (e.g. because a peer is
adding or removing a stream), the user agent must <a href=#queue-a-task>queue a
task</a> that sets the <code><a href=#peerconnection>PeerConnection</a></code> object's
@@ -75704,25 +75692,47 @@
</div>
- <h3 id=security-considerations><span class=secno>9.6 </span>Security considerations</h3>
+ <h4 id=security-considerations><span class=secno>9.5.1 </span>Security considerations</h4>
- <p>A <a href=#data-udp-media-stream>data UDP media stream</a> is encrypted, but that does
- not solve all security problems. In particular, <strong>replay
- attacks</strong> are possible. Scripts for which this would be a
- problem should give each packet a unique identifier and refuse to
- process the same packet twice.</p>
+ <p>The <a href=#data-udp-media-stream>data UDP media stream</a> packet format is designed
+ to protect against several obvious attacks. The data is made to
+ appear pseudo-random, so that it cannot be used in a cross-protocol
+ attack, even if somehow the stream were to be directed at an
+ unsuspecting remote host. The data is hashed in such a way that it
+ cannot be modified in transit. That data is encrypted so that it
+ cannot be read in transit.</p>
+ <p>These security mechanisms rely in part on a key that is
+ negotiated over the signalling channel; as such, the security is
+ only as strong as the security of the signaling channel. Authors are
+ encouraged to use TLS to protect the signalling channel and the
+ page(s) hosting the application, and are encouraged to secure the
+ host used to relay the signalling channel.</p>
+
<div class=impl>
- <p class=XXX>should probably mention something about how a browser
- should rate-limit outgoing traffic to prevent the browser from being
- used to (accidentally or intentionally) saturate the local
- network.</p>
+ <p>To avoid network traffic congestion and other denial of service
+ attacks based on traffic volume, user agents should apply
+ rate-limiting to <a href=#data-udp-media-stream title="data UDP media stream">data UDP media
+ streams</a>.</p>
</div>
+ <h3 id=garbage-collection-0><span class=secno>9.6 </span>Garbage collection</h3>
+ <p>A <code><a href=#window>Window</a></code> object has a strong reference to any
+ <code><a href=#peerconnection>PeerConnection</a></code> objects created from the constructor
+ whose global object is that <code><a href=#window>Window</a></code> object.</p> <!-- we
+ could be less strict here, e.g. dropping the reference when there's
+ no way for an event to be fired because there's no event handlers
+ registered and there's no way for the remote peer to notice anything
+ because no media is streaming; or e.g. dropping the reference when
+ the object reaches the CLOSED state. But as dropping the reference
+ in those cases is black-box indistinguishable from keeping the
+ reference, I haven't bothered to work out the exact rules. -->
+
+
<h3 id=event-definitions-0><span class=secno>9.7 </span>Event definitions</h3>
<p>The <code title=event-stream-addstream>addstream</code> and
@@ -78729,7 +78739,7 @@
define how they are to be parsed or processed.</p>
- <h4 id=garbage-collection-0><span class=secno>11.2.8 </span>Garbage collection</h4>
+ <h4 id=garbage-collection-1><span class=secno>11.2.8 </span>Garbage collection</h4>
<p>While an <code><a href=#eventsource>EventSource</a></code> object's <code title=dom-EventSource-readyState><a href=#dom-eventsource-readystate>readyState</a></code> is not <code title=dom-EventSource-CLOSED><a href=#dom-eventsource-closed>CLOSED</a></code>, and the object has one
or more event listeners registered for <code title=event-message><a href=#event-message>message</a></code> events, there must be a strong
@@ -79389,7 +79399,7 @@
- <h5 id=garbage-collection-1><span class=secno>11.3.3.2 </span>Garbage collection</h5>
+ <h5 id=garbage-collection-2><span class=secno>11.3.3.2 </span>Garbage collection</h5>
<p>A <code><a href=#websocket>WebSocket</a></code> object whose <code title=dom-WebSocket-readyState><a href=#dom-websocket-readystate>readyState</a></code> attribute's value
was set to <code title=dom-WebSocket-CONNECTING><a href=#dom-websocket-connecting>CONNECTING</a></code>
Modified: index
===================================================================
--- index 2011-05-31 20:32:14 UTC (rev 6160)
+++ index 2011-05-31 22:12:44 UTC (rev 6161)
@@ -1005,8 +1005,10 @@
<li><a href=#obtaining-local-multimedia-content><span class=secno>9.2 </span>Obtaining local multimedia content</a></li>
<li><a href=#stream-api><span class=secno>9.3 </span>Stream API</a></li>
<li><a href=#peer-to-peer-connections><span class=secno>9.4 </span>Peer-to-peer connections</a></li>
- <li><a href=#the-data-stream><span class=secno>9.5 </span>The data stream</a></li>
- <li><a href=#security-considerations><span class=secno>9.6 </span>Security considerations</a></li>
+ <li><a href=#the-data-stream><span class=secno>9.5 </span>The data stream</a>
+ <ol>
+ <li><a href=#security-considerations><span class=secno>9.5.1 </span>Security considerations</a></ol></li>
+ <li><a href=#garbage-collection-0><span class=secno>9.6 </span>Garbage collection</a></li>
<li><a href=#event-definitions-0><span class=secno>9.7 </span>Event definitions</a></li>
<li><a href=#event-summary><span class=secno>9.8 </span>Event Summary</a></ol></li>
<li><a href=#comms><span class=secno>10 </span>Communication</a>
@@ -74975,13 +74977,13 @@
<dt><dfn id=dom-peerconnection-active title=dom-PeerConnection-ACTIVE><code>ACTIVE</code></dfn> (numeric value 2)</dt>
- <dd>The ICE Agent has concluded ICE processing and media is streaming.</dd>
+ <dd>The ICE Agent has concluded ICE processing. If any media streams were successfully negotiated, any relevant media is streaming.</dd>
<dt><dfn id=dom-peerconnection-closed title=dom-PeerConnection-CLOSED><code>CLOSED</code></dfn> (numeric value 3)</dt>
<dd>Either the <code title=dom-PeerConnection-close><a href=#dom-peerconnection-close>close()</a></code> method has been
- invoked, or the other peer removed all the media streams, or the
- other peer has apparently abruptly stopped sending any media.</dd>
+ invoked, or the other peer has apparently abruptly stopped sending
+ any media.</dd>
</dl><p>When the <dfn id=dom-peerconnection title=dom-PeerConnection><code>PeerConnection()</code></dfn>
constructor is invoked, the user agent must run the following steps.
@@ -75173,8 +75175,8 @@
generate any candidates for media streams whose media descriptions
do not have a label attribute ("<code title="">a=label:</code>"). <a href=#refsICE>[ICE]</a> <a href=#refsSDP>[SDP]</a> <a href=#refsSDPLABEL>[SDPLABEL]</a></p>
- <p>When a user agent starts receiving media for a component an a
- candidate provided for that component by a
+ <p>When a user agent starts receiving media for a component and a
+ candidate was provided for that component by a
<a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE Agent</a>, the user agent
must follow these steps:</p>
@@ -75289,20 +75291,6 @@
object.</p>
<p>When a <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE Agent</a>
- completes ICE processing with no active media streams, the user
- agent must <a href=#queue-a-task>queue a task</a> that sets the
- <code><a href=#peerconnection>PeerConnection</a></code> object's
- <a href=#peerconnection-readiness-state><code>PeerConnection</code> readiness state</a> to <code title=dom-PeerConnection-CLOSED><a href=#dom-peerconnection-closed>CLOSED</a></code> (3) and then, if the
- <code><a href=#peerconnection>PeerConnection</a></code> object's
- <a href=#peerconnection-readiness-state><code>PeerConnection</code> readiness state</a> has ever
- reached the <code title=dom-PeerConnection-ACTIVE><a href=#dom-peerconnection-active>ACTIVE</a></code>
- (2) state, <a href=#fire-a-simple-event title="fire a simple event">fires a simple
- event</a> named <code title=event-stream-close>close</code> at the
- <code><a href=#peerconnection>PeerConnection</a></code> object, or otherwise <a href=#fire-a-simple-event title="fire a
- simple event">fires a simple event</a> named <code title=event-stream-error>error</code> at the <code><a href=#peerconnection>PeerConnection</a></code>
- object.</p>
-
- <p>When a <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE Agent</a>
restarts ICE processing for any reason (e.g. because a peer is
adding or removing a stream), the user agent must <a href=#queue-a-task>queue a
task</a> that sets the <code><a href=#peerconnection>PeerConnection</a></code> object's
@@ -75719,25 +75707,47 @@
</div>
- <h3 id=security-considerations><span class=secno>9.6 </span>Security considerations</h3>
+ <h4 id=security-considerations><span class=secno>9.5.1 </span>Security considerations</h4>
- <p>A <a href=#data-udp-media-stream>data UDP media stream</a> is encrypted, but that does
- not solve all security problems. In particular, <strong>replay
- attacks</strong> are possible. Scripts for which this would be a
- problem should give each packet a unique identifier and refuse to
- process the same packet twice.</p>
+ <p>The <a href=#data-udp-media-stream>data UDP media stream</a> packet format is designed
+ to protect against several obvious attacks. The data is made to
+ appear pseudo-random, so that it cannot be used in a cross-protocol
+ attack, even if somehow the stream were to be directed at an
+ unsuspecting remote host. The data is hashed in such a way that it
+ cannot be modified in transit. That data is encrypted so that it
+ cannot be read in transit.</p>
+ <p>These security mechanisms rely in part on a key that is
+ negotiated over the signalling channel; as such, the security is
+ only as strong as the security of the signaling channel. Authors are
+ encouraged to use TLS to protect the signalling channel and the
+ page(s) hosting the application, and are encouraged to secure the
+ host used to relay the signalling channel.</p>
+
<div class=impl>
- <p class=XXX>should probably mention something about how a browser
- should rate-limit outgoing traffic to prevent the browser from being
- used to (accidentally or intentionally) saturate the local
- network.</p>
+ <p>To avoid network traffic congestion and other denial of service
+ attacks based on traffic volume, user agents should apply
+ rate-limiting to <a href=#data-udp-media-stream title="data UDP media stream">data UDP media
+ streams</a>.</p>
</div>
+ <h3 id=garbage-collection-0><span class=secno>9.6 </span>Garbage collection</h3>
+ <p>A <code><a href=#window>Window</a></code> object has a strong reference to any
+ <code><a href=#peerconnection>PeerConnection</a></code> objects created from the constructor
+ whose global object is that <code><a href=#window>Window</a></code> object.</p> <!-- we
+ could be less strict here, e.g. dropping the reference when there's
+ no way for an event to be fired because there's no event handlers
+ registered and there's no way for the remote peer to notice anything
+ because no media is streaming; or e.g. dropping the reference when
+ the object reaches the CLOSED state. But as dropping the reference
+ in those cases is black-box indistinguishable from keeping the
+ reference, I haven't bothered to work out the exact rules. -->
+
+
<h3 id=event-definitions-0><span class=secno>9.7 </span>Event definitions</h3>
<p>The <code title=event-stream-addstream>addstream</code> and
Modified: source
===================================================================
--- source 2011-05-31 20:32:14 UTC (rev 6160)
+++ source 2011-05-31 22:12:44 UTC (rev 6161)
@@ -85724,14 +85724,14 @@
<dt><dfn title="dom-PeerConnection-ACTIVE"><code>ACTIVE</code></dfn> (numeric value 2)</dt>
- <dd>The ICE Agent has concluded ICE processing and media is streaming.</dd>
+ <dd>The ICE Agent has concluded ICE processing. If any media streams were successfully negotiated, any relevant media is streaming.</dd>
<dt><dfn title="dom-PeerConnection-CLOSED"><code>CLOSED</code></dfn> (numeric value 3)</dt>
<dd>Either the <code
title="dom-PeerConnection-close">close()</code> method has been
- invoked, or the other peer removed all the media streams, or the
- other peer has apparently abruptly stopped sending any media.</dd>
+ invoked, or the other peer has apparently abruptly stopped sending
+ any media.</dd>
</dl>
@@ -85962,8 +85962,8 @@
href="#refsICE">[ICE]</a> <a href="#refsSDP">[SDP]</a> <a
href="#refsSDPLABEL">[SDPLABEL]</a></p>
- <p>When a user agent starts receiving media for a component an a
- candidate provided for that component by a
+ <p>When a user agent starts receiving media for a component and a
+ candidate was provided for that component by a
<span><code>PeerConnection</code> ICE Agent</span>, the user agent
must follow these steps:</p>
@@ -86108,22 +86108,6 @@
object.</p>
<p>When a <span><code>PeerConnection</code> ICE Agent</span>
- completes ICE processing with no active media streams, the user
- agent must <span>queue a task</span> that sets the
- <code>PeerConnection</code> object's
- <span><code>PeerConnection</code> readiness state</span> to <code
- title="dom-PeerConnection-CLOSED">CLOSED</code> (3) and then, if the
- <code>PeerConnection</code> object's
- <span><code>PeerConnection</code> readiness state</span> has ever
- reached the <code title="dom-PeerConnection-ACTIVE">ACTIVE</code>
- (2) state, <span title="fire a simple event">fires a simple
- event</span> named <code title="event-stream-close">close</code> at the
- <code>PeerConnection</code> object, or otherwise <span title="fire a
- simple event">fires a simple event</span> named <code
- title="event-stream-error">error</code> at the <code>PeerConnection</code>
- object.</p>
-
- <p>When a <span><code>PeerConnection</code> ICE Agent</span>
restarts ICE processing for any reason (e.g. because a peer is
adding or removing a stream), the user agent must <span>queue a
task</span> that sets the <code>PeerConnection</code> object's
@@ -86617,25 +86601,47 @@
</div>
- <h3>Security considerations</h3>
+ <h4>Security considerations</h4>
- <p>A <span>data UDP media stream</span> is encrypted, but that does
- not solve all security problems. In particular, <strong>replay
- attacks</strong> are possible. Scripts for which this would be a
- problem should give each packet a unique identifier and refuse to
- process the same packet twice.</p>
+ <p>The <span>data UDP media stream</span> packet format is designed
+ to protect against several obvious attacks. The data is made to
+ appear pseudo-random, so that it cannot be used in a cross-protocol
+ attack, even if somehow the stream were to be directed at an
+ unsuspecting remote host. The data is hashed in such a way that it
+ cannot be modified in transit. That data is encrypted so that it
+ cannot be read in transit.</p>
+ <p>These security mechanisms rely in part on a key that is
+ negotiated over the signalling channel; as such, the security is
+ only as strong as the security of the signaling channel. Authors are
+ encouraged to use TLS to protect the signalling channel and the
+ page(s) hosting the application, and are encouraged to secure the
+ host used to relay the signalling channel.</p>
+
<div class="impl">
- <p class="XXX">should probably mention something about how a browser
- should rate-limit outgoing traffic to prevent the browser from being
- used to (accidentally or intentionally) saturate the local
- network.</p>
+ <p>To avoid network traffic congestion and other denial of service
+ attacks based on traffic volume, user agents should apply
+ rate-limiting to <span title="data UDP media stream">data UDP media
+ streams</span>.</p>
</div>
+ <h3>Garbage collection</h3>
+ <p>A <code>Window</code> object has a strong reference to any
+ <code>PeerConnection</code> objects created from the constructor
+ whose global object is that <code>Window</code> object.</p> <!-- we
+ could be less strict here, e.g. dropping the reference when there's
+ no way for an event to be fired because there's no event handlers
+ registered and there's no way for the remote peer to notice anything
+ because no media is streaming; or e.g. dropping the reference when
+ the object reaches the CLOSED state. But as dropping the reference
+ in those cases is black-box indistinguishable from keeping the
+ reference, I haven't bothered to work out the exact rules. -->
+
+
<h3>Event definitions</h3>
<p>The <code title="event-stream-addstream">addstream</code> and
More information about the Commit-Watchers
mailing list