On 07/14/2009 06:01 PM, Ian Hickson wrote: > On Tue, 14 Jul 2009, Alex Rousskov wrote: >> HTTP "hard-coding" seems to be a small, albeit critical, part of >> WebSocket so changing it to avoid conflicts with HTTP may be possible >> without significant negative effects on the rest of the draft. > > The handshake is a pretty critical part of the security model of the > WebSocket protocol. I don't really see how we can continue to have the > safe handshake while allowing either the client or the server to send any > arbitrary string.
Perhaps the WebSocket secure handshake should start _after_ the successful upgrade? Is not that how HTTP Upgrade was intended to be used? > WebSocket isn't an HTTP-upgraded protocol; it's just that its handshake > happens to be such that it can trick HTTP servers into thinking that it > is. In other words, HTTP Upgrade is not the initial handshake mechanism, > it just looks like it is if you don't examine it closely. I think I understand the intent behind the trick, but if a message looks like an HTTP message to the HTTP server or intermediary, the HTTP server or intermediary may start doing HTTP-valid things to it, and those things will not be valid from WebSocket point of view. Henrik provided a few examples of that already. I want to avoid the following Squid bug report 5 years from now: Title: Squid breaks FooBar Comment1: FooBar, a WebSocket application, works fine unless there is a "transparent" Squid proxy in the way. I have attached a packet trace. Comment2: Closed as invalid. Squid seems to be handling the HTTP messages correctly. Squid is not responsible to what happens after Upgrade, inside the tunnel. Comment3: Reopened as critical. I need to make this work. Please do something! I have read somewhere that if Squid would not add a Via or XFF header and also that extra space character after a column, everything would just work! Comment4: Changed to enhancement: Rewrite Squid to support WebSocket-compatible Upgrade exchange. Meanwhile, consider writing a post-Squid eCAP module that will rewrite Squid-altered HTTP messages to conform to WebSocket. Cheers, Alex.
