Well-known URIs for the WebSocket Protocol

Summary: Has a DISCUSS. Has enough positions to pass once DISCUSS positions are resolved.

Eric Rescorla Discuss

Discuss (2017-08-01)
Document: draft-bormann-hybi-ws-wk-00.txt

   It has always been possible to form "ws" and "wss" URIs in such a way
   that they map to well-known HTTP(S) URIs when using the procedure in
   Section 4 of [RFC6455], so no new security considerations about this
   are created by now formally making the well-known URI mechanism
   available for "ws" and "wss", as well.
   However, with well-known URIs becoming available for the WebSocket
   protocol, applications that want to define well-known URI suffixes
   specifically for WebSocket use also need to consider whether the
   resources becoming available under the equivalent HTTP(S) URI formed
   by Section 4 of [RFC6455] pose any information disclosure or other
   security considerations.

I'm not sure I am persuaded by this. The issue is that clients assume
that these URIs have elevated privilege, so if it's not the case
that WebSockets servers behave this way, we can't retroactively declare
it. Can you explain in more detail why you think this is safe?

Alexey Melnikov Yes

Alia Atlas No Objection

Deborah Brungard No Objection

Ben Campbell No Objection

Spencer Dawkins No Objection

Suresh Krishnan No Objection

Warren Kumari No Objection

Comment (2017-07-29)
Please see Dan Romascanu's OpsDir review for a typo / nit.

Mirja K├╝hlewind No Objection

Terry Manderson No Objection

Kathleen Moriarty No Objection

Alvaro Retana No Objection

Adam Roach No Objection

Benoit Claise No Record

Alissa Cooper No Record