[whatwg] Web Sockets

Ian Hickson ian at hixie.ch
Mon Jul 21 16:46:38 PDT 2008 

On Tue, 22 Jul 2008, Frode Børli wrote:
>
> 1. Allow pure TCPSocket using this method: var s = new
> TCPSocket("/tcpsocket.xml");
> 
> The tcpsocket.xml-file must have a structure similar to this:
> 
> <websocket>
>   <host>hostname/ip-address</host>
>   <port>portnumber</port>
>   <allow-origin>*</allow-origin>
> </websocket>
> 
> [...] port: any port

We can't do this, because it would allow cross-site scripting on shared 
hosts. (The server running on one port is not necessarily from the same 
user as the server running on another.)


> - Easy to adopt today on existing servers and can easily utilize for 
> example existing IRC-servers etc without modifications.

I don't know that it's that easy. We'd need to provide APIs for poking 
bytes, separate from poking text, and probably would need to provide an 
API to decide the encoding of each output string, etc. Reading would be 
even more complicated, since we'd have no framing, so you'd have to 
provide an arbitrary byte array, and then a bunch of methods for 
converting those to strings.

That sounds like far more complexity than I want to specify in HTML5.


> - Enables cross site usage (script on www.example.com can connect to 
> Yahoo by downloading www.yahoo.com/websocket.xml)

The current feature allows that too.


> - Requires access to place files on the targeted server - so it is not 
> possible by simple cross site scripting attacks.

Same with WebSockets.


> - A simple perl script can dynamically generate the xml-file above.

WebSockets do this without even the XML file. :-)


> - Allows connection to SMTP servers only if the server owner intends to 
> allow it.

Not necessarily, as noted above, since shared hosts means that different 
ports are owned by different people, even at the same IP.


> 2. WebSockets should use previous work from RFC 2817 
> (http://www.ietf.org/rfc/rfc2817.txt). Web servers such as Apache must 
> then be extended to support websockets, but it should be very easy for a 
> developer to start using websockets. It would not require an extra 
> application listening on a separate port, and it would by definition 
> work in a virtual hosting environment.

I'm not sure which part of RFC 2817 you intended to refer to. If you mean 
the TLS upgrade specifically, then we can't use that since 2817 doesn't 
provide a way to explicitly require a TLS connection from the page that 
creates the connection. Much better to have two separate protocol schemes 
and have one always require encryption.

Note that browsers don't use RFC 2817. It's not clear that servers would 
actually benefit from it either.


> Since the request is to an ordinary URL, the webserver will direct the 
> request to a file or script in the web root for the virtual host and 
> this script can decide to send an 426 Upgrade Required response, or it 
> can send 401 Unauthorised if the client sent the wrong Origin headers.

That doubles the number of HTTP roundtrips, which seems unnecessary.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list