[whatwg] Why deflate-stream is required to be enabled by the WebSocket API?

Bjoern Hoehrmann derhoermi at gmx.net
Wed Jul 20 11:49:52 PDT 2011

* Takeshi Yoshino wrote:
>Use of deflate-stream is now mandatory in API spec. I think this kind of
>requirement is useless. How about leave it up to implementors' decision?

The deflate-stream extension, when used for browser to server messages
allows an attacker to put whatever bytes he likes on the wire, after a
bit of unpredictable junk. Browser vendors were pretty opposed to that
for the normal protocol without extensions, and they were opposed to
having some way to make browsers send messages "unmasked"; so it would
be very odd for browser vendors to implement the extension. And by the
looks of it, the hybi Working Group may well drop deflate-stream now.
See <http://www.ietf.org/mail-archive/web/hybi/current/msg07093.html>
and <http://www.ietf.org/mail-archive/web/hybi/current/msg07581.html>.
Björn Höhrmann · mailto:bjoern at hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

More information about the whatwg mailing list