What is Sec-WebSocket-Key for? -


in section 1.3 "opening handshake" of draft-ietf-hybi-thewebsocketprotocol-17, describes sec-websocket-key follows:

to prove handshake received, server has take 2 pieces of information , combine them form response. first piece of information comes |sec-websocket-key| header field in client handshake:

sec-websocket-key: dghlihnhbxbszsbub25jzq==

for header field, server has take value (as present in header field, e.g. base64-encoded [rfc4648] version minus leading , trailing whitespace), , concatenate globally unique identifier (guid, [rfc4122]) "258eafa5-e914-47da-95ca-c5ab0dc85b11" in string form, unlikely used network endpoints not understand websocket protocol. sha-1 hash (160 bits), base64-encoded (see section 4 of [rfc4648]), of concatenation returned in server's handshake [fips.180-2.2002].

here's thing can't understand: why not return code 101? if proper use of sec-websocket-key security, or prove can handle websocket requests, server return expected key if wanted to, , pretend websocket server.

according rfc 6455 websocket standard

first part:

.. server has prove client received client's websocket handshake, server doesn't accept connections not websocket connections.  prevents attacker tricking websocket server sending crafted packets using xmlhttprequest [xmlhttprequest] or form submission.  ... header field, server has take value (as present in header field, e.g., base64-encoded [rfc4648] version minus leading , trailing whitespace) , concatenate globally unique identifier (guid, [rfc4122]) "258eafa5-e914-47da- 95ca-c5ab0dc85b11" in string form, unlikely used network endpoints not understand websocket protocol.

second part:

the |sec-websocket-key| header field used in websocket opening handshake.  sent client server provide part of information used server prove received valid websocket opening handshake.  helps ensure server not accept connections non-websocket clients (e.g., http clients) being abused send data unsuspecting websocket servers.

so, value of guid specified in standard, unlikely (possible, put small probability) server not aware of websockets use it. not provide security (secure websockets - wss:// - does), ensures server understands websockets protocol.

really, you've mentioned, if aware of websockets (that's checked), pretend websocket server sending correct response. then, if not act correctly (e.g. form frames correctly), considered protocol violation. actually, can write websocket server incorrect, there not use in it.

and purpose prevent clients accidentally requesting websockets upgrade not expecting (say, adding corresponding headers manually , expecting smth else). sec-websocket-key , other related headers prohibited set using setrequestheader method in browsers.


Comments

Post a Comment

Popular posts from this blog

c# - Send Image in Json : 400 Bad request -

from android trying send image class of data, iis webservice. (c#) the problem 400 bad request . the image being encoded base64 . , placed json rest of class elements. my guess base64 not valid inside json. server not understand it. if set string "" , post accepted fine. so question is, how make base64 valid within json array? ( tried url.encode no success). or how should send image android webservice? gson gson = new gson(); string json = gson.tojson(record); // record has param { string base64photo } how big image? i'm pretty sure surpassing iis json size limit (default 4 mb). check http://geekswithblogs.net/frankw/archive/2008/08/05/how-to-configure-maxjsonlength-in-asp.net-ajax-applications.aspx or http://www.webtrenches.com/post.cfm/iis7-file-upload-size-limits good luck!
Read more

jquery - Fancybox - apply a function to several elements -

this source code below posted cristiano g. carvalho in answer question: calling fancybox gallery other link made user. <div class="details_gallery"> <a href="#" class="manualfancybox">manual call fancybox</a> <div class="details_gallery_min"> <a rel="details" href="max/1.jpg" class="fancybox"><img src="min/1.jpg" alt="" /></a> <a rel="details" href="max/2.jpg" class="fancybox"><img src="min/2.jpg" alt="" /></a> <a rel="details" href="max/3.jpg" class="fancybox"><img src="min/3.jpg" alt="" /></a> <a rel="details" href="max/4.jpg" class="fancybox"><img src="min/4.jpg" alt="" /></a> </div> </div> <script> $(document).read
Read more

An easy way to program an Android keyboard layout app -

i program android app replaces standard keyboard 1 one-hand optimized coffee++ keyboard layout. what special problems have face in progress? guess such project go deep android core, cause keyboard such essential thing. is wise start android developer tools (adt)—eclipse plugin described in this tutorial ? or there better way achieve goal? i new android programming, firm in php, mysql , javascript , use eclipse php i guess such project go deep android core, cause keyboard such essential thing. no. can create inputmethodservice implementation of keyboard. there sample soft keyboard in android sdk installation (if chose download sample code sdk manager), , there open source input methods floating around well, such hacker's keyboard. inputmethodservice distributed part of ordinary android application, , user can elect activate input method if user chooses. is wise start android developer tools (adt)—eclipse plugin described in tutorial? that fine s
Read more