Mridul Muralidharan wrote: > There is a difference between sending an upgrade request, which is > conforment with http spec - and so intermediaries/others being able to > make a decision about whether to allow/honour it or not, and doing it > by fudging requests by making it look like http. > > I am all for using http in the way it is meant to be used - even for > bootstrapping non-http protocols : if done right, which is not opaque > : but not when trying to piggyback on 'port 80 is open, let us use it > since admin cant stop us'. In case you hadn't checked, WebSocket actually does use the HTTP Upgrade mechanism. Firewalls which block HTTP Upgrade requests based on the request and response headers can include blocking WebSocket, or not as they choose, in their rules. In this regard, there is no fudging. The rigidity of WebSocket's spec forces senders to be more rigid in what they send, and receivers to be more strict in what they accept. This has the side effect that proxies which modify the request will sometimes break it. But it does not prevent HTTP firewall function, as long as it doesn't modify the messages when it's allowing them to pass. > [Think using CONNECT to start sending arbitrary protocols : it is > done a lot, but reason for having CONNECT enabled in proxies is not > for arbitrary protocols, but just https]. Just a random FYI, CONNECT and port 443 are blocked in some locations, because they want to be able to inspect all HTTP requests and block those they can't inspect. -- Jamie
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.