Sunday, December 11, 2011

RFC 6454 and RFC 6455

Today, the IETF published two document: RFC 6454, The Web Origin Concept, and RFC 6455, The WebSocket Protocol.  Both these documents started out as sections in the HTML5 specification, which has been a hotbed of standards activity over the past few years, but they took somewhat different paths through the standards process.

RFC 6454's path through the IETF process was mostly smooth sailing.  The document defines the same-origin policy, which is widely implemented and fairly cut-and-dried.  In addition to the comparison and serialization algorithms we inherited from the WHATWG, the websec working group added a definition of the Origin HTTP header, which is used by CORS, and a broad description of the principles behind the same-origin policy.

RFC 6455's path was less smooth.  The protocol underwent several major revisions in the WHATWG, before reaching the IETF.  The protocol was fairly mature by the time it reached the hybi working group and was implemented in WebKit and Firefox.  Unfortunately, some details of the protocol offended HTTP purists, who wanted the protocol handshake to comply with HTTP.  The working group polished up these details, leading to churn in the protocol.

Around this time, some colleagues and I were studying the interaction between DNS rebinding and transparent proxies.  It occurred to us that folks had analyzed the end-to-end security properties of WebSockets but less effort had been expended analyzing the interaction between WebSockets and transparent proxies.  We studied these issues and found an interesting vulnerability.  We presented our findings to the working group, which updated the protocol to fix issue.

One perspective on these events is that they are a success.  We found and fixed a protocol-level vulnerability before the protocol was deployed widely.  Another perspective is that we annoyed early adopters polishing unimportant protocol details.  My view is that this debate boils down to whether you really believe that worse is better.  For my part, I believe we had a net positive impact, but I hope we can be less disruptive to early adopters when we improve security in the future.


  1. Congrats, Adam!

    I agree that worse is better, but the straw-man argument against wider review of WebSockets isn't fair. Anyone adopting it that early in the game should know that it has potential for change; if they didn't, the implementers and advocates misled them.

    After all, the last big technology the browser vendors pushed through the IETF without significant review was Cookies -- and look how well that turned out. Yes it worked, and yes it got traction, but boy was it a mess.

    Anyway, we'll probably disagree on that, and I'm not going to defend all aspects of the process -- e.g., about: is taking way too long.

    What's next?

  2. Typo note: In paragraph 3, "The was fairly mature by the time..." seems to be missing a word near teh beginning of the sentence.

  3. Typo fixed.

    @mnot: Good question. I'm hopeful that SPDY is next. It looks like the stars are aligning for the IETF to take up its standardization. Hopefully we can use the experience we've gained with WebSockets to make that process a success.

  4. It only annoyed the "early adopters" because the "purists" were concerned about details that were "unimportant" from your point of view and not theirs.

    "Worse is better" may be a better business plan, but it's inconsistent with putting something on standards track looking for rough consensus.

    Perhaps RFC 6454 was only "smooth sailing" because there's not enough context to evaluate its holes (like "What is the origin of 'about:blank'?") It would be better if it just defined Origin for HTTP URIs; otherwise all of the interesting action is in the specifications that reference this one.

    @mnot: Cookies were not "pushed through the IETF"; it would have been better if it had. But the early adopters who had widely implemented and deployed cookies didn't like the feedback they got from the security "purists" at the time, leaving the mess for the next generation of standardista's to fix.

  5. @Larry:

    Yeah, I definitely understand the "better is better" perspective. I don't view the protocol changes made by the working group as unimportant, but I do recognize that there was a cost to making those changes. Most notably, WebSockets came to market a year later that it might have otherwise.

    With respect to RFC 6454, you're right that it's mostly a building block for other standards to build upon. To answer your specific question, the origin of about:blank is a globally unique identifier. When used in an HTML document, the HTML specification changes the origin of about:blank documents depending on context. When used in other places, however, that HTML-specific quirk need not apply.

  6. It is all about Abu Dhabi Web Design the layouts to match all forms of digital media. The actual concept is that the design should support all the devices from desktops, laptops, smart phones, tablets to anything released in the future.

  7. a good essay editor may transform your own essay coming from as an ordinary best essay writing company uk in a good refined AND ALSO concise essay. you utilize perhaps spent a considerable quantity of time in excess of ones academic assignment. your current subsequently step will be in order to polish This to help perfection. This can be possible regarding you, as a writer, to help overlook your current errors that you should have committed.

  8. Regular vacation goers call for reductions along with other inexpensive business arrivals. The reason being they will vacation on the day-to-day time frame. Several oxygen arrivals organizations consider these kinds of vacation goers although usually do travel

  9. world-wide-web design purchases with the area regarding designing a great internet site AS WELL AS on the prolonged run updating IN ADDITION TO maintaining. with the internet boom, every institution wants to have a online footprint IN ADDITION TO the site is Tips on how to showcase one's skills AS WELL AS business IN ADDITION TO kindle your curiosity regarding potential customers.CMS for web designers

  10. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work