15104 2011-12-07 20:12:55 +0000 In reply to: <p class="warning">Following HTTP procedures here could introduce serious security problems in a Web browser context. For example, consider a host with a WebSocket server at one path and an open HTTP redirector at another. Suddenl 2011-12-09 23:09:50 +0000 1 1 1 Unclassified WebAppsWG WebSocket API (editor: Ian Hickson) unspecified Other other RESOLVED WONTFIX http://www.whatwg.org/specs/web-apps/current-work/#top P3 normal --- 1 contributor ian art.barstow ian mike public-webapps public-webapps-bugzilla oldest_to_newest 61110 0 contributor 2011-12-07 20:12:55 +0000 Specification: http://dev.w3.org/html5/websockets/ Multipage: http://www.whatwg.org/C#top Complete: http://www.whatwg.org/c#top Comment: In reply to: <p class="warning">Following HTTP procedures here could introduce serious security problems in a Web browser context. For example, consider a host with a WebSocket server at one path and an open HTTP redirector at another. Suddenly, any script that can be given a particular WebSocket URL can be tricked into communicating to (and potentially sharing secrets with) any host on the Internet, even if the script checks that the URL has the right hostname.</p> It SHOULD be possible to get the information from HTTP Status Codes 4xx and 5xx, to provide the ability to return useful information to the client, for example, a "400 Bad Request" response with the following message "WebSocket Version 8 or greater is required". Posted from: 189.239.8.169 User agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2 61352 1 ian 2011-12-09 23:09:50 +0000 We can't expose error information (at least, not cross-origin), as that would leak information about servers that have not opted-in.