15104 – In reply to: <p class="warning">Following HTTP procedures here could introduce serious security problems in a Web browser context. For example, consider a host with a WebSocket server at one path and an open HTTP redirector at another. Suddenl

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 15104 - In reply to: <p class="warning">Following HTTP procedures here could introduce serious security problems in a Web browser context. For example, consider a host with a WebSocket server at one path and an open HTTP redirector at another. Suddenl

Summary: In reply to: <p class="warning">Following HTTP procedures here could introduc...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	WebAppsWG
Classification:	Unclassified
Component:	WebSocket API (editor: Ian Hickson) (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	---
Assignee:	Ian 'Hixie' Hickson
QA Contact:	public-webapps-bugzilla

URL:	http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-12-07 20:12 UTC by contributor
Modified:	2011-12-09 23:09 UTC (History)
CC List:	4 users (show)

See Also:

Attachments

Description contributor 2011-12-07 20:12:55 UTC

Specification: http://dev.w3.org/html5/websockets/
Multipage: http://www.whatwg.org/C#top
Complete: http://www.whatwg.org/c#top

Comment:
In reply to:
<p class="warning">Following HTTP procedures here could introduce
    serious security problems in a Web browser context. For example,
    consider a host with a WebSocket server at one path and an open
    HTTP redirector at another. Suddenly, any script that can be given
    a particular WebSocket URL can be tricked into communicating to
    (and potentially sharing secrets with) any host on the Internet,
    even if the script checks that the URL has the right hostname.</p>

It SHOULD be possible to get the information from HTTP Status Codes 4xx and
5xx, to provide the ability to return useful information to the client, for
example, a "400 Bad Request" response with the following message "WebSocket
Version 8 or greater is required".

Posted from: 189.239.8.169
User agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2

Comment 1 Ian 'Hixie' Hickson 2011-12-09 23:09:50 UTC

We can't expose error information (at least, not cross-origin), as that would leak information about servers that have not opted-in.