Why do we think cross-protocol a security hole, and then we think WebSocket protocol is not a security hole? If there exists protocols which enable certain risky features, such as sending email (SMTP), what absolute assurance do we have there won't be some poorly programmed WebSocket servers which expose similar risky features? Should we block WebSockets too? I think the logic necessarily follows that if we are compelled to block cross-protocol, then we are also compelled to block WebSocket. Lets just block everything, shut down the internet, that would definity be secure. This is an example of the failure directed castle security model (insanity) I described: http://www.ietf.org/mail-archive/web/hybi/current/msg03915.html Why can't we focus on real security as I described: http://www.ietf.org/mail-archive/web/http-state/current/msg00939.html P.S. If same origin policy (SOP) is the protection against vulnerable WebSocket servers, then it would also be for vulernable protocols.
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.