It's not clear to me why you'd base a WebSocket client on httpd code.
For BWTP it might make sense, since the client may receive messages
that look like HTTP requests and be obliged to send responses that
look like HTTP responses. But that doesn't happen in WebSocket. Does
anyone have an example of an actual (not just planned) WebSocket
client that reuses HTTP server code?
I think that wording expresses a mechanism, not a use case. I think
the requirements should be about what we want to enable people to do
with the protocol, not about how we want to do it. That's kind of the
point of having a separate requirements gathering phase, right?

Regards,
Maciej

I have never ever ever seen such an intermediary in the wild.
However I have seen:

2a. Server-side intermediaries. These are the ones under the control
of system administrators in a different department who are under no
direct control or influence of the author: reverse-proxies, load balancers,
and the like. It would be optimal if they could be not used with only
incremental upgrades, because frankly, at the end of the day, it is
procedurally and commercially impossible for the author to wholesale-replace
anything on their networks, even if necessary. It would obviously be a
huge impediment to author adoption.


cheers

I understand and respect those positions.

However, please take a quick look at HTTP's history, because the same
will probably occur to WebSocket.

In the old days, you could write a HTTP server as a short shell script.
Seriously, I saw it done. NCSA Mosaic + shell scripts for servers.

HTTP was seen as a *much* simpler, "lighter" protocol than FTP for
fetching files. That was one of it's touted benefits. Simplicity,
ease of implementation.

Nowadays, it's reversed. I see people installing FTP servers because
HTTP is seen as heavy and FTP is seen as light. Bizarre but true.

Now, the only HTTP servers I see implemented in short scripts - and in
fact in some script libraries that are more widely used - are quite
buggy. Nobody notices because they get away without testing the buggy
parts. (For example, treating HEAD the same as GET, treating OPTIONS
the same as GET, ignoring the Expect header, not passing 1xx headers,
stripping spaces either side of a header name, claiming HTTP/1.1
compliance while not remotely complying, etc.).

I also see, on embedded systems lists, people asking where they can
get a small HTTP server to do this, that or the other. It never
occurs to them to just write one (except in one case I can think of,
where the device's badly written HTTP server for diagnostics was the
reason it kept crashing.) Even though it's actually easy to write a
conforming HTTP/0.9 server.

I think the same will happen with WebSocket: Simple at first, but
before you know it, it'll have evolved - and the web will be full of
dirty workarounds for buggy clients and servers - just like what
happened with HTTP.

When that happens, almost nobody will write an implementation raw in a
few lines of script, and a situation similar to HTTP today will occur.
There will be lots of WebSocket implementations available to choose
from - at least 6 in every major language and another 20 written in C
- and each targetted at a different audience, whether it's
scalability, easy of use from a scripting perspective, minimal size,
single-threaded, etc. So that almost everyone will use one of the
available ones, because it'd be a waste of their time not to.
+1, fwiw, I do agree with this.
I think it'll succeed, but only because these attack-blocking
strategies are too complex to implement in a few lines of script by an
amateur programmer, so they'll cut & paste other people's 5 pages of
code (the old buggy one from 2010 probably), when they decide not to
use libraries or front-ends.

Nearly all such programmers will learn, after one or two tries, that
it's easier to get an off-the-shelf implementation and use it anyway.
Then they can concentrate on their application. This is based on
observing what people do with other protocols - not just HTTP, but at
all layers.

We see people using SOAP after all. Clearly people see simplicity as
whatever pre-packaged APIs they can easily use, not on-the-wire
simplicity. And for whatever reasons, sockets are harder to use than
pre-packaged messaging APIs.
I agree with the desire to protect users in this way.

But even random CGI authors tend to use a "CGI library" to read their
environment variables.
+1, I agree with the general sentiment. But I think it's doomed to
fail. Especially if the attack-blocking strategies are included, it's
simply too much for many programmers at that point to write their own.

So I think the attack-blocking strategies are fine, but partly because
the added complexity will put some people off writing their own servers.

Let's put it this way: If plain sockets were perceived as easy to
program, why are there people considering using WebSockets for
application-to-application communications (no browser) - instead of
just using plain sockets? Even though plain sockets are obviously
much less work than do-it-yourself WebSockets?
Well put. There's a couple more types, which don't affect the HTTP
handshake but definitely affect reliable WebSocket usage:

4. TCP relays (a couple of flavours, depending on whether they relay
half-closes (shutdown) or full-closes only). Those are used on some
mobile/wireless networks, and some tunnelled environments. This
doesn't affect the protocol bytes, but it does affect orderly
close strategy, and any ideas people may have had about TCP ACKs.

5. Not-quite-intermediary but affects the stream: Stateful firewalls
and NATs, whose ports remain open only as long as there is regular
keepalive traffic - and even then occasionally close randomly - and
always do so if the number of connections (from everyone) exceeds a limit.

4 and 5 are currently things that applications themselves must code
for if they want reliable operation.
Heh, I've seen a few specs which imply it :-)

Some people have said WebSocket's draft falls into this category at
the moment... because people have different ideas about what
constitutes hard to write (some see reusing Apache as easier than
writing a socket program) and hard to understand (opinions vary).
Oh, that's easy in Perl in 2 lines :-)

use Net::WebSocket::Simple qw(server, send);
server (port => 8910) { send("Response: ".uc($_)) }

It seems to me the dominant culture in Perl and Python worlds is to
use libraries. Maybe that's just the vocal bloggers, though.

-- Jamie

You can't. The fundamental Web Sockets requirements are beyond the
capabilities of a bare scripting language. You cannot use CGI as the Web
Socket plugin API, for example, because it's not powerful enough.
No, WebSockets is fundamentally more complicated than HTTP. See below.
No, the complexity exists with a single user. It's fundamental to
understanding the Web Socket protocol. This has nothing to do with
scaling and everything to do with implementing Web Sockets for a single
client.

Look at the problems solved by HTTP and Web Sockets abstractly:

HTTP is a trivial, stateless, single-threaded, synchronous protocol. The
abstract model for HTTP looks like:

1. event generated by client (*important* this is the only event in
the entire system), i.e. the GET request
2. server spawns application instance thread #1 (i.e. stateless)
3. single-threaded application processes request, blocking as
necessary (i.e. CGI is trivial single-threaded blocking script)
4. all state closes (Apache modules have even used this to work around
memory leaks.)

Trivial. One event. One thread. You don't need to know or think about
multithreaded programming to solve the problem.

Web Sockets is intrinsically asynchronous, multi-threaded and stateful.
The following is the perspective from the server application (the issues
are symmetrical, though browser implementations do the hard work on the
client end):

1. one of several asynchronous events can occur at any time: a new web
socket event/request, or a server application The server must handle any
of the events at any time. (Compare with the one unique initiating event
in HTTP.)

2. while processing a web socket request (e.g. a slow database call),
the application will probably want to be able to handle other web socket
request, and send server-initiated requests, rather than blocking while
#2 occurs. (Blocking isn't an issue in HTTP because it's synchronous.)

3. while processing a server request (e.g. pushing a large file), the
application will probably want to be able to handle new
web-socket-initiated requests, rather than blocking with #3 occurs.
(There's no matching complexity in HTTP because HTTP servers don't
initiate requests.)

A CGI script can't begin to solve this problem, because it cannot handle
#1 and specifically cannot handle any request of #3.

If you don't understand that complexities of an asynchronous system,
like even the simplest non-degenerate Web Socket server, dwarf the
synchronous parsing of a simple grammar, then you need to spend more
time studying the problem, because these are fundamental concepts.

-- Scott

I was thinking that I should put together a standalone client & server in
Ruby trying to use as much of Net::HTTP and Rack respectively as possible,
to explore how much re-use is possible.
Two questions:
- has anyone done this already?
- Is this so far outside the design space as to be silly?
It'd only be a few hours work I think.
- Tim
It's entirely possible to create a version of this protocol that is *not*
friendly to the standalone use case. If we designed the protocol solely to
work well as part of an HTTP server, it's actually pretty likely that we'd
make it needlessly complicated for authors of standalone servers. In
particular, your suggestion that "it is easier to reuse an existing HTTP
stack" is one that I think standalone server authors would probably not
agree with.
I don't think that's all of what we are trying to capture. We'd like it to
be reasonable to implement a standalone server, regardless of whether the
difficulties are imposed by HTTP-related processing or something else. For
example, if the message framing was unduly elaborate, then I'd say we are
failing the requirements for standalone servers.
I think this captures the combo server requirements reasonably well, but is
not so good at capturing the standalone server requirements. I think we
should listen to those who have implemented or plan to implement a
standalone server with regards to those.

Regards,
Maciej

Hi,

thank for the discussion, feedbacks and comments
it seems to me that there is an acceptable consensus on the following
requirements


Req. X The WebSocket protocol MUST allow HTTP and WebSocket
connections to be served from the same port.
Consideration MUST be given
* to provide WebSocket services via modules that plug in
to existing web infrastructure.
* to making it possible and practical to implement
standalone implementations of the protocol
without requiring a fully conforming HTTP implementation.

Reason: Some server developers would like to integrate WebSocket support
into existing HTTP servers.
In addition, the default HTTP and HTTPS ports are ofter
favoured for traffic that has to go through a firewall,
so service providers will likely want to be able to use
WebSocket over ports 80 and 443, even when running a We server
on the same host. However there could be scenarios where
it is not opportune or possible to setup a proxy on the same
HTTP server.




Req. Y When sharing host and "well known" port with HTTP, the
WebSocket protocol MUST be HTTP compatible until both ends have
established the WebSocket protocol.

Reason: when operating on the standard HTTP ports, existing web
infrastructure may handle according to existing standards prior to
the establishment of the new protocol.



Req. Z The protocol SHOULD make it possible and practical to reuse
existing HTTP components where appropriate.

Reason: the re-usage of existing well-debugged software decreases the
number of implementation errors as well as the possibility to
introduce security holes especially and at the same time
speed up the development especially when the Web Socket server
is implemented as modules that plug in to existing
popular Web servers



any objection to have them inserted in the draft instead of

REQ. 6: The Web Socket Protocol MUST be designed in such a way that
its servers can share a port with HTTP servers, as by
default the
Web Socket Protocol uses port 80 for regular Web Socket
connections and port 443 for Web Socket connection
tunnelled over TLS.



cheers
Sal