[whatwg] Why deflate-stream is required to be enabled by the WebSocket API?

Bjoern Hoehrmann derhoermi at gmx.net
Wed Jul 20 16:56:25 PDT 2011

* Adam Barth wrote:
>On Wed, Jul 20, 2011 at 11:49 AM, Bjoern Hoehrmann <derhoermi at gmx.net> wrote:
>> The deflate-stream extension, when used for browser to server messages
>> allows an attacker to put whatever bytes he likes on the wire, after a
>> bit of unpredictable junk. Browser vendors were pretty opposed to that
>> for the normal protocol without extensions, and they were opposed to
>> having some way to make browsers send messages "unmasked"; so it would
>> be very odd for browser vendors to implement the extension. And by the
>> looks of it, the hybi Working Group may well drop deflate-stream now.
>> See <http://www.ietf.org/mail-archive/web/hybi/current/msg07093.html>
>> and <http://www.ietf.org/mail-archive/web/hybi/current/msg07581.html>.
>Isn't the obvious solution to both problems to apply compression before masking?

There is draft-tyoshino-hybi-websocket-perframe-deflate for that. It's
not a solution to the problem Takeshi Yoshino raised though, which is
about whether Websocket API conformance should impose restrictions on
which Websocket extensions must and must not be supported, as far as I
understand it anyway.
Björn Höhrmann · mailto:bjoern at hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

More information about the whatwg mailing list