[whatwg] spec comments (websocket)
Ian Hickson
ian at hixie.ch
Tue Oct 13 04:37:00 PDT 2009
On Fri, 4 Sep 2009, Wenbo Zhu wrote:
>
> re: http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-40
> 1) section 6: "User agents should not close the Web Socket connection
> arbitrarily."
>
> Please clarify what "arbitrarily" means .. given there is no handshake
> for close?
Arbitrarily here has its usual meaning, "Determined by chance, whim, or
impulse, and not by necessity, reason, or principle".
The point being that the connection is only to be closed upon the request
of the user of the Web Socket API, and not, e.g., based on a timer.
> 2) section 7: "Servers that only accept input from one origin can just
> send back that value in the "WebSocket-Origin" header, without bothering
> to check the client's value."
>
> I suppose servers should still verify the (single) origin to ensure it
> matches .. Yes, the server simple echoes back the received origin
> thereafter.
No, the server need not check the origin in this case. The UA performs
that check. (The UA can be trusted to perform that check to the same
extent that the UA can be trusted to provide the correct Origin header.)
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list