[whatwg] Why deflate-stream is required to be enabled by the WebSocket API?

Adam Barth w3c at adambarth.com
Wed Jul 20 15:54:30 PDT 2011


On Wed, Jul 20, 2011 at 11:49 AM, Bjoern Hoehrmann <derhoermi at gmx.net> wrote:
> * Takeshi Yoshino wrote:
>>Use of deflate-stream is now mandatory in API spec. I think this kind of
>>requirement is useless. How about leave it up to implementors' decision?
>>http://www.w3.org/Bugs/Public/show_bug.cgi?id=12917
>
> The deflate-stream extension, when used for browser to server messages
> allows an attacker to put whatever bytes he likes on the wire, after a
> bit of unpredictable junk. Browser vendors were pretty opposed to that
> for the normal protocol without extensions, and they were opposed to
> having some way to make browsers send messages "unmasked"; so it would
> be very odd for browser vendors to implement the extension. And by the
> looks of it, the hybi Working Group may well drop deflate-stream now.
> See <http://www.ietf.org/mail-archive/web/hybi/current/msg07093.html>
> and <http://www.ietf.org/mail-archive/web/hybi/current/msg07581.html>.

Isn't the obvious solution to both problems to apply compression before masking?

Adam



More information about the whatwg mailing list