The issue is discussed http://davidwalsh.name/websocket-security and http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool-for.html .
It has been fixed in the latest spec ( http://tools.ietf.org/html/rfc6455#page-50), so it's a matter of using a client/server that is compliant. On Wed, Feb 29, 2012 at 10:31 AM, Filip Maj <f...@adobe.com> wrote: > Bryce/Simon/Joe - do you guys remember what the issue was with the > WebSockets branch? > > On 2/29/12 7:26 AM, "Marlin Mixon" <marlin.mi...@gmail.com> wrote: > > >Obviously it would be important to find out what the security issue(s) > >are before embarking. It looks like what I would do is refactor by > >forking the current master release then insert code from the old > >WebSockets branch and make changes as needed to make it work with the > >newer code. Finding relevant code in the WebSockets branch might be > >an issue but it doesn't seem too hard a task. > > > >On Tue, Feb 28, 2012 at 6:30 PM, Filip Maj <f...@adobe.com> wrote: > >> Hey Marlin, > >> > >> Thanks for joining the mailing list and starting discussion. > >> > >> One thing that may put you on the right track is actually a branch we > >>have > >> that implements WebSockets for the Android Cordova implementation :) > >> > >> https://github.com/apache/incubator-cordova-android/tree/WebSockets > >> > >> > >> It is about a year behind in terms of upstream commits, so certainly a > >>lot > >> of work needs to be done, but I think 95% of the work is there. > >> > >> This branch was slated for introduction into master but never made it > >>due > >> to a security issue that came up (the details escape me - maybe someone > >> else from the list can bring the light the original reason). Not sure > >> whether or not that was resolved. I think it was due to some standards > >> body declaring that some revision of the web sockets spec was > >>incomplete? > >> Something along those lines. > >
