WebSocket

WebSocket is a technology providing for bi-directional, full-duplex communications channels, over a single Transmission Control Protocol (TCP) socket. It is designed to be implemented in web browsers and web servers, but it can be used by any client or server application. The WebSocket API is being standardized by the W3C, and the WebSocket protocol has been standardized by the IETF as RFC 6455.[1] Because ordinary TCP connections to port numbers other than 80 are frequently blocked by administrators outside of home environments, it can be used as a way to overcome these restrictions and provide similar functionality with some additional protocol overhead while multiplexing several WebSocket services over a single TCP port.

For the client side, WebSocket was implemented in Firefox 4, Google Chrome 4, Opera 11, and Safari 5, as well as the mobile version of Safari in iOS 4.2.[2] Also, the BlackBerry Browser in OS7 supports WebSocket.[3] However, although present, support was disabled by default in Firefox 4 and 5 and Opera 11 because of concerns over security vulnerabilities.[4][5] The new -07 version of the WebSocket protocol, which fixes the protocol bug, is implemented and enabled by default in Firefox 6 [6] and in Chrome 14.[7]

There is also a command line switch for Google Chrome (--enable-websocket-over-spdy) that enables an early experimental implementation of WebSocket over SPDY.[8]

Contents

WebSocket Protocol Handshake

To establish a WebSocket connection, the client sends a WebSocket handshake request, and the server sends a WebSocket handshake response, as shown in the following example:

draft-ietf-hybi-thewebsocketprotocol-00

This is the older handshake mechanism; see below for newer versions.

Browser request to the server:

GET /demo HTTP/1.1
Upgrade: WebSocket
Connection: Upgrade
Host: example.com
Origin: http://example.com
Sec-WebSocket-Key1: 4 @1  46546xW%0l 1 5
Sec-WebSocket-Key2: 12998 5 Y3 1  .P00
 
^n:ds[4U

Server response:

HTTP/1.1 101 WebSocket Protocol Handshake
Upgrade: WebSocket
Connection: Upgrade
Sec-WebSocket-Origin: http://example.com
Sec-WebSocket-Location: ws://example.com/demo
Sec-WebSocket-Protocol: sample
 
8jKS'y:G*Co,Wxa-

The Sec-WebSocket-Key1 and Sec-WebSocket-Key2 fields and the 8 bytes after the fields are random tokens which the server uses to construct a 16-byte token at the end of its handshake to prove that it has read the client's handshake.

The handshake is constructed by concatenating the numbers from the first key, and dividing by the number of spaces. This is then repeated for the second key. The two resulting numbers are concatenated with each other, and with the last 8 bytes after the fields. The final result is an MD5 sum of the concatenated string.[9]

The handshake looks like HTTP but actually isn't. It allows the server to interpret part of the handshake request as HTTP and then switch to WebSocket.

Once established, WebSocket data frames can be sent back and forth between the client and the server in full-duplex mode. Text frames can be sent full-duplex, in either direction at the same time. The data is minimally framed with just two bytes. Each frame starts with a 0x00 byte, ends with a 0xFF byte, and contains UTF-8 data in between. Binary frames are not supported yet in the API. WebSocket text frames use a terminator, while binary frames use a length prefix.

draft-ietf-hybi-thewebsocketprotocol-06

To establish a WebSocket connection, the client sends a WebSocket handshake request, and the server sends a WebSocket handshake response, as shown in the following example:

GET /ws HTTP/1.1
Host: pmx
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 6
Sec-WebSocket-Origin: http://pmx
Sec-WebSocket-Extensions: deflate-stream
Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==

Server response:(Server Architecture)

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=

The client sends a Sec-WebSocket-Key which is base64 encoded. To this key the magic string "258EAFA5-E914-47DA-95CA-C5AB0DC85B11" is appended, hashed with SHA1 and then base64 encoded. Notice that the Sec-WebSocket-Key is base64 encoded but is not decoded by the server. The result is then replied in the header "Sec-WebSocket-Accept".

Sec-WebSocket-Key to Sec-WebSocket-Accept example :

Proxy traversal

WebSocket protocol client implementations try to detect if the user agent is configured to use a proxy when connecting to destination host and port and, if it is, uses HTTP CONNECT method to set up a persistent tunnel.

While the WebSocket protocol itself is unaware of proxy servers and firewalls, it features an HTTP-compatible handshake so that HTTP servers can share their default HTTP and HTTPS ports (80 and 443) with a WebSocket gateway or server. The WebSocket protocol defines a ws:// and wss:// prefix to indicate a WebSocket and a WebSocket Secure connection, respectively. Both schemes use an HTTP upgrade mechanism to upgrade to the WebSocket protocol. Some proxy servers are harmless and work fine with WebSocket; others will prevent WebSocket from working correctly, causing the connection to fail. In some cases additional proxy server configuration may be required, and certain proxy servers may need to be upgraded to support WebSocket.

If unencrypted WebSocket traffic flows through an explicit or a transparent proxy server on its way to the WebSocket server, then, whether or not the proxy server behaves as it should, the connection is almost certainly bound to fail today (as WebSocket become more mainstream, proxy servers may become WebSocket aware). Therefore, unencrypted WebSocket connections should be used only in the simplest topologies.[10]

If an encrypted WebSocket connection is used, then the use of Transport Layer Security (TLS) in the WebSocket Secure connection ensures that an HTTP CONNECT command is issued when the browser is configured to use an explicit proxy server. This sets up a tunnel, which provides low-level end-to-end TCP communication through the HTTP proxy, between the WebSocket Secure client and the WebSocket server. In the case of transparent proxy servers, the browser is unaware of the proxy server, so no HTTP CONNECT is sent. However, since the wire traffic is encrypted, intermediate transparent proxy servers may simply allow the encrypted traffic through, so there is a much better chance that the WebSocket connection will succeed if WebSocket Secure is used. Using encryption is not free of resource cost, but often provides the highest success rate.

A mid-2010 draft (version hixie-76) broke compatibility with reverse-proxies and gateways by including 8 bytes of key data after the headers, but not advertising that data in a Content-Length: 8 header.[11] This data was not forwarded by all intermediates, which could lead to protocol failure. More recent drafts (e.g., hybi-09[12]) put the key data in a Sec-WebSocket-Key header, solving this problem.

URL scheme

The WebSocket protocol specification defines two new URI schemes, ws: and wss:,[13] for unencrypted and encrypted connections respectively. Apart from the scheme name, the rest of the URI components are defined to use URI generic syntax.[14]

Browser support

Chrome 14, Firefox 7 and Internet Explorer 10 are currently the only browsers supporting the latest draft specification ("hybi-10") of the WebSocket protocol. A detailed protocol test suite report [15] lists the conformance of those browsers to specific protocol aspects.

Firefox 4[16] and Opera 11[17] originally supported the outdated draft-ietf-hybi-thewebsocketprotocol-00 WebSocket, but have since disabled the protocol by default due to security issues. Chrome also plans to disable the WebSocket if actual exploit code appears before the protocol is revised.[18]

Current versions of Microsoft's Internet Explorer support the draft-ietf-hybi-thewebsocketprotocol-09 through a prototype, HTML5 Labs.[19]

Implementation status
Protocol Internet Explorer Firefox [20] Chrome Safari Opera
hixie-75 4 5.0.0
hixie-76
hybi-00		 4.0 (DISABLED) 6 5.0.1 11.00 (DISABLED)
hybi-06 HTML5 Labs[21] dev[22]
hybi-07 6.0[23]1
hybi-09 HTML5 Labs[19]
hybi-10 IE10 developer preview [15] 7[24]1 14[25]
RFC 6455 11 16[26]

1 Gecko-based browsers versions 6 - 10 implement the WebSocket object as "MozWebSocket",[27] requiring extra code to integrate with existing WebSocket-enabled code.

See also

References

  1. ^ RFC 6455
  2. ^ Katie Marsal (November 23, 2010). "Apple adds accelerometer, WebSockets support to Safari in iOS 4.2". AppleInsider.com. http://www.appleinsider.com/articles/10/11/23/apple_adds_accelerometer_websockets_support_to_safari_in_ios_4_2.html. Retrieved 2011-05-09. 
  3. ^ "Web Sockets API". RIM. http://docs.blackberry.com/en/developers/deliverables/29271/Web_Sockets_support_1582781_11.jsp. Retrieved 8 July 2011. 
  4. ^ Chris Heilmann (December 8, 2010). "WebSocket disabled in Firefox 4". Hacks.Mozilla.org. http://hacks.mozilla.org/2010/12/websockets-disabled-in-firefox-4/. Retrieved 2011-05-09. 
  5. ^ Aleksander Aas (December 10, 2010). "Regarding WebSocket". My Opera Blog. http://my.opera.com/chooseopera/blog/2010/12/10/regarding-websocket. Retrieved 2011-05-09. 
  6. ^ Dirkjan Ochtman (May 27, 2011). "WebSocket enabled in Firefox 6". Mozilla.org. https://developer.mozilla.org/en/WebSockets. Retrieved 2011-06-30. 
  7. ^ "Chromium Web Platform Status". http://www.chromium.org/developers/web-platform-status. Retrieved 2011-08-03. 
  8. ^ "List of Chromium Command Line Switches". Peter.sh. http://peter.sh/experiments/chromium-command-line-switches/. Retrieved 2011-12-10. 
  9. ^ "The WebSocket protocol". August 16, 2010. http://www.whatwg.org/specs/web-socket-protocol/. Retrieved 2011-05-09. 
  10. ^ "How Web Sockets Interact With Proxy Servers". Infoq.com. http://www.infoq.com/articles/Web-Sockets-Proxy-Servers. Retrieved 2011-12-10. 
  11. ^ "WebSocket -76 is incompatible with HTTP reverse proxies". Ietf.org. 2010-07-06. http://www.ietf.org/mail-archive/web/hybi/current/msg02149.html. Retrieved 2011-12-10. 
  12. ^ "The WebSocket protocol, draft hybi-09". June 13, 2011. http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-09. Retrieved June 15, 2011. 
  13. ^ "IANA Uniform Resource Identifer (URI) Schemes". Iana.org. 2011-11-14. http://www.iana.org/assignments/uri-schemes.html. Retrieved 2011-12-10. 
  14. ^ "draft-hixie-thewebsocketprotocol-76 - The WebSocket protocol". Tools.ietf.org. http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol. Retrieved 2011-12-10. 
  15. ^ a b "WebSockets Protocol Test Report". Tavendo.de. 2011-10-27. http://www.tavendo.de/autobahn/testsuite/report/clients/index.html. Retrieved 2011-12-10. 
  16. ^ "How to enable WebSockets in Firefox". Developer.mozilla.org. 2011-09-30. https://developer.mozilla.org/en/WebSockets. Retrieved 2011-12-10. 
  17. ^ "Opera 11 release notes, with procedure to re-enable Web Sockets". My.opera.com. 2010-12-17. http://my.opera.com/ODIN/blog/2010/12/17/new-html5-features-in-opera-11. Retrieved 2011-12-10. 
  18. ^ Issue 5643005: Disable WebSocket by default
  19. ^ a b "The WebSockets Prototype Gets Another Update". Blogs.msdn.com. 2011-06-22. http://blogs.msdn.com/b/interoperability/archive/2011/06/23/websockets-prototype-gets-another-update.aspx. Retrieved 2011-12-10. 
  20. ^ "WebSockets (support in Firefox)". Developer.mozilla.org. 2011-09-30. https://developer.mozilla.org/en/WebSockets. Retrieved 2011-12-10. 
  21. ^ "Latest WebSockets Release Interoperates with Firefox, Eclipse's Jetty - Interoperability @ Microsoft - Site Home - MSDN Blogs". Blogs.msdn.com. 2011-03-11. http://blogs.msdn.com/b/interoperability/archive/2011/03/11/latest-websockets-release-interoperates-with-eclipse-s-jetty.aspx. Retrieved 2011-12-10. 
  22. ^ "hybi Firefox with WebSocket -06 demo build". Ietf.org. 2011-03-10. http://www.ietf.org/mail-archive/web/hybi/current/msg06854.html. Retrieved 2011-12-10. 
  23. ^ "Bug 640003 - WebSockets - upgrade to ietf-06". Bugzilla.mozilla.org. https://bugzilla.mozilla.org/show_bug.cgi?id=640003. Retrieved 2011-12-10. 
  24. ^ WebSockets - upgrade to ietf-07>
  25. ^ "Chromium bug 64470". Code.google.com. 2010-11-25. http://code.google.com/p/chromium/issues/detail?id=64470. Retrieved 2011-12-10. 
  26. ^ "WebKit Changeset 97247: WebSocket: Update WebSocket protocol to hybi-17". Trac.webkit.org. http://trac.webkit.org/changeset/97249. Retrieved 2011-12-10. 
  27. ^ "WebSockets - MDN". Developer.mozilla.org. 2011-09-30. https://developer.mozilla.org/en/WebSockets. Retrieved 2011-12-10. 

External links