[whatwg] Web Sockets

Frode Børli frode at seria.no
Mon Jul 21 15:10:00 PDT 2008


I have some feedback based on the discussions i participated in
earlier. Since I am on vacation I cannot give a proper proposal but I
think the following should be considered:


1. Allow pure TCPSocket using this method: var s = new
TCPSocket("/tcpsocket.xml");

The tcpsocket.xml-file must have a structure similar to this:

<websocket>
  <host>hostname/ip-address</host>
  <port>portnumber</port>
  <allow-origin>*</allow-origin>
</websocket>

Clarifications:

host: if specified and if the host is another host than the host where
tcpsocket.xml was downloaded from - a secure algorithm should be
applied, for example using reverse dns lookups on the target
IP-address and inspecting the TXT-records of the host name that the
reverse lookup returned.

port: any port

allow-origin: simple method of limiting who can connect to the port
specified in the tcpsocket.xml-file. For example this could be the
complete url of the javascript file or it could contain wildcards.


Advantages:

- Easy to adopt today on existing servers and can easily utilize for
example existing IRC-servers etc without modifications.
- Enables cross site usage (script on www.example.com can connect to
Yahoo by downloading www.yahoo.com/websocket.xml)
- Requires access to place files on the targeted server - so it is not
possible by simple cross site scripting attacks.
- A simple perl script can dynamically generate the xml-file above.
- Allows connection to SMTP servers only if the server owner intends
to allow it.


2. WebSockets should use previous work from RFC 2817
(http://www.ietf.org/rfc/rfc2817.txt). Web servers such as Apache must
then be extended to support websockets, but it should be very easy for
a developer to start using websockets. It would not require an extra
application listening on a separate port, and it would by definition
work in a virtual hosting environment.

Since the request is to an ordinary URL, the webserver will direct the
request to a file or script in the web root for the virtual host and
this script can decide to send an 426 Upgrade Required response, or it
can send 401 Unauthorised if the client sent the wrong Origin headers.



More information about the whatwg mailing list