Well-known URIs for the WebSocket Protocol
Summary: Has a DISCUSS. Has enough positions to pass once DISCUSS positions are resolved.
Eric Rescorla Discuss
Document: draft-bormann-hybi-ws-wk-00.txt It has always been possible to form "ws" and "wss" URIs in such a way that they map to well-known HTTP(S) URIs when using the procedure in Section 4 of [RFC6455], so no new security considerations about this are created by now formally making the well-known URI mechanism available for "ws" and "wss", as well. However, with well-known URIs becoming available for the WebSocket protocol, applications that want to define well-known URI suffixes specifically for WebSocket use also need to consider whether the resources becoming available under the equivalent HTTP(S) URI formed by Section 4 of [RFC6455] pose any information disclosure or other security considerations. I'm not sure I am persuaded by this. The issue is that clients assume that these URIs have elevated privilege, so if it's not the case that WebSockets servers behave this way, we can't retroactively declare it. Can you explain in more detail why you think this is safe?
Alexey Melnikov Yes
Alia Atlas No Objection
Deborah Brungard No Objection
Ben Campbell No Objection
Spencer Dawkins No Objection
Suresh Krishnan No Objection
Warren Kumari No Objection
Please see Dan Romascanu's OpsDir review for a typo / nit.