Re: Hello from Mozilla

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Thu, 16 Jul 2009 12:41:10 +0200

ons 2009-07-15 klockan 07:18 +0000 skrev Ian Hickson:

> The reason we have a very strict handshake is because we don't want it to
> be possible to trick a non-WebSocket-aware server into accepting a
> connection (or similarly, having the client be tricked by the script into
> accepting a connection to a non-WebSocket-aware server). This is
> especially important for WebSockets because once there's a connection
> established, any data might be sent.

Doesn't need to be octet-level strict for that. If you get a 101
response you know it's been accepted.

If you get anything else you need to deal with that, as required by
HTTP.

Until the end of the 101 response it's all HTTP, per the rules of HTTP.

> HTTP is getting similar restrictions, by the way, in the form of the CORS
> mechanism. Without CORS, scripts can't ever read data back from cross-site
> HTTP requests they initiate. CORS allows the server to opt in to sending
> data back to a third-party script.

Which is fine, as the HTTP part of CORS is a simple HTTP extension
within the framework defined by HTTP.

And I wouldn't call it that HTTP gets restrictions. In the case of CORS
HTTP is extended to give client scripts authorization to access the
servers data where such scripts before could not due to access
restrictions implemented in the user-agent.

For others following this thread:
http://www.w3.org/TR/access-control/
http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/

Regards
Henrik
Received on Thu Jul 16 2009 - 10:41:15 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 16 2009 - 12:00:05 MDT