Technical Summary
The WebSocket protocol enables two-way communication between a
client running untrusted code running in a controlled environment to a
remote host that has opted-in to communications from that code. The
security model used for this is the Origin-based security model
commonly used by Web browsers. The protocol consists of an opening
handshake followed by basic message framing, layered over TCP. The
goal of this technology is to provide a mechanism for browser-based
applications that need two-way communication with servers that does
not rely on opening multiple HTTP connections (e.g. using
XMLHttpRequest or <iframe>s and long polling).
Working Group Summary
The discussion within HyBi WG was extremely contentious up to the month
of December 2010/January 2011, when there was some indication that due
the lack of a valid way out some participants might have been considering
the possibility of leaving the IETF process altogether. The consensus
around masking as a solution to the security concerns raised at the end
of 2010, although not everybody's favorite, was the point around which
the major parties agreed they could live with, and the process began
moving forward again. Since then, the process has been more normal for
an IETF WG, in that not everyone agrees with the declared consensus
points, but at least there has been a forward movement on a regular basis.
Document Quality
There are already several implementations of the protocol on different
WebServers (e.g. Glassfish, Jetty, Apache) a library implementation (e.g.,
libwebsocket) and from the client side Firefox6 already includes the
protocol in its last version, Google has announced to include it in a
future version of Chrome Browser. Microsoft has announced client and
server support in the upcoming Windows release ("Windows 8").
The following reviewers merit special mention. Magnus Westerlund
reviewed the -07 version on behalf of the TSV Directorate. Lisa
Dusseault, Richard Barnes and Kathleen Moriarty reviewed the -10
version on behalf of the Applications Area Review Team, General Area
Review Team, and Security Directorate respectively.
RFC Editor Notes
1. Section 1.3
OLD
[FIPS.180-2.2002]
NEW
[FIPS.180-3]
2. Section 14.1
OLD
[FIPS.180-2.2002]
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-2, August 2002, <http://
csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>.
NEW
[FIPS.180-3]
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-3, October 2008, <http://
csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf>.