I haven't seen any further discussion here. If there are no objections,
could you merge in the changes (everything in
http://tools.ietf.org/tools/rfcdiff/rfcdiff.pyht?url1=http://tools.ietf.org/id/draft-ietf-hybi-thewebsocketprotocol-00.txt&url2=http://svn.tools.ietf.org/svn/wg/hybi/websocket/draft-ietf-hybi-thewebsocketprotocol-latest
except the framing stuff which is different in -01) in your draft?

Cheers,

Revisions below refer to revisions of
http://svn.tools.ietf.org/svn/wg/hybi/websocket/draft-ietf-hybi-thewebsocketprotocol.xml
This change as best as I can tell is already in -01
Committed as r15
As best as I can tell, the below corresponds to the part of the source file
that was the JavaScript API, not the protocol. This text is not present in
the HyBi document. I have not incorporated this change.
--- source (revision 5174)
+++ source (revision 5189)
@@ -80897,8 +80897,9 @@
title="">host</var>, on port <var title="">port</var> (if one was
specified), from <var title="">origin</var>, with the flag <var
title="">secure</var>, with <var title="">resource name</var> as
- the resource name, and with <var title="">protocols</var> as the
- (possibly empty) list of protocols.</p>
+ the resource name, with <var title="">protocols</var> as the
+ (possibly empty) list of protocols, and with the <var
+ title="">defer cookies</var> flag set.</p>


Ditto with the below:
<p class="note">If the "<span>establish a WebSocket
connection</span>" algorithm fails, it triggers the "<span>fail
@@ -81137,10 +81138,13 @@
<p>When the <i>WebSocket connection is established</i>, the user
agent must <span>queue a task</span> to first change the <code
title="dom-WebSocket-readyState">readyState</code> attribute's value
- to <code title="dom-WebSocket-OPEN">OPEN</code> (1); then change the
- <code title="dom-WebSocket-protocol">protocol</code> attribute's
- value to the <span>selected WebSocket subprotocol</span>, if there
- is one; and then <span>fire a simple event</span> named <code
+ to <code title="dom-WebSocket-OPEN">OPEN</code> (1); <span>apply the
+ cookies</span> that were collected in the <var title="">list of
+ cookies</var> when the <span title="WebSocket connection is
+ established">connection was established</span>; change the <code
+ title="dom-WebSocket-protocol">protocol</code> attribute's value to
+ the <span>selected WebSocket subprotocol</span>, if there is one;
+ and then <span>fire a simple event</span> named <code
title="event-open">open</code> at the <code>WebSocket</code>
object.</p>

Again, the below seems to be in the HTML/JS api, not the protocol, so I have
not incorporated any of the below.
@@ -81215,10 +81219,40 @@

<h5>Garbage collection</h5>

- <p>A <code>WebSocket</code> object with an open connection must not
- be garbage collected if there are any event listeners registered for
- <code title="event-message">message</code> events.</p>
+ <p>A <code>WebSocket</code> object whose <code
+ title="dom-WebSocket-readyState">readyState</code> attribute's value
+ was set to <code title="dom-WebSocket-CONNECTING">CONNECTING</code>
+ (0) as of the last time the <span>event loop</span> started
+ executing a <span title="concept-task">task</span> must not be
+ garbage collected if there are any event listeners registered for
+ <code title="event-open">open</code> events, <code
+ title="event-message">message</code> events, <code
+ title="event-error">error</code> events, or <code
+ title="event-close">close</code> events.</p>

+ <p>A <code>WebSocket</code> object whose <code
+ title="dom-WebSocket-readyState">readyState</code> attribute's value
+ was set to <code title="dom-WebSocket-OPEN">OPEN</code> (1) as of
+ the last time the <span>event loop</span> started executing a <span
+ title="concept-task">task</span> must not be garbage collected if
+ there are any event listeners registered for <code
+ title="event-message">message</code> events, <code
+ title="event-error">error</code> events, or <code
+ title="event-close">close</code> events.</p>
+
+ <p>A <code>WebSocket</code> object whose <code
+ title="dom-WebSocket-readyState">readyState</code> attribute's value
+ was set to <code title="dom-WebSocket-CLOSING">CLOSING</code> (2) as
+ of the last time the <span>event loop</span> started executing a
+ <span title="concept-task">task</span> must not be garbage collected
+ if there are any event listeners registered for <code
+ title="event-close">close</code> events.</p>
+
+ <p>A <code>WebSocket</code> object with <span title="WebSocket
+ connection is established">an established connection</span> that has
+ data queued to be transmitted to the network must not be garbage
+ collected.</p>
+
<p>If a <code>WebSocket</code> object is garbage collected while its
connection is still open, the user agent must <span>close the
WebSocket connection</span>.</p>

Committed as r16
@@ -81540,7 +81574,7 @@

<p>The third piece of information is given after the fields, in the
last eight bytes of the handshake, expressed here as they would be
- seen if interpreted as ASCII:</p>
+ seen if interpreted as UTF-8:</p>

<pre>Tm[K T2u</pre>

Also in r16
@@ -81597,7 +81631,7 @@
<em>set</em> cookies, as in HTTP.</p>

<p>After the fields, the server sends the aforementioned MD5 sum, a
- 16 byte (128 bit) value, shown here as if interpreted as ASCII:</p>
+ 16 byte (128 bit) value, shown here as if interpreted as UTF-8:</p>

<pre>fQJ,fN/4F4!~K~MH</pre>


Incorporated in r17
@@ -81935,6 +81969,13 @@
<p><i>This section only applies to user agents, not to
servers.</i></p>

+ <p>User agents running in controlled environments, e.g. browsers on
+ mobile handsets tied to specific carriers, may offload the
+ management of the connection to another agent on the network. In
+ such a situation, the user agent for the purposes of conformance is
+ considered to include both the handset software and any such
+ agents.</p>
+
<p class="note">This specification doesn't currently define a limit
to the number of simultaneous connections that a client can
establish to a server.</p>

Also in r17
@@ -81947,17 +81988,18 @@
title="">port</var>, from an origin whose <span title="ASCII
serialization of an origin">ASCII serialization</span> is <var
title="">origin</var>, with a flag <var title="">secure</var>, with
- a string giving a <var title="">resource name</var>, and with a
+ a string giving a <var title="">resource name</var>, with a
(possibly empty) list of strings giving the <var
- title="">protocols</var>, it must run the following steps. The <var
- title="">host</var> must be ASCII-only (i.e. it must have been
- punycode-encoded already if necessary). The <var
- title="">origin</var> must not contain characters in the range
+ title="">protocols</var>, and optionally with a <var title="">defer
+ cookies</var> flag, it must run the following steps. The <var
+ title="">host</var> must have been punycode-encoded already if
+ necessary (i.e. it does not contain characters above U+007E). The
+ <var title="">origin</var> must not contain characters in the range
U+0041 to U+005A (i.e. LATIN CAPITAL LETTER A to LATIN CAPITAL
LETTER Z). The <var title="">resource name</var> string must be a
- non-empty string of ASCII characters in the range U+0021 to U+007E
- that starts with a U+002F SOLIDUS character (/). The various strings
- in <var title="">protocols</var> must all be non-empty strings with
+ non-empty string of characters in the range U+0021 to U+007E that
+ starts with a U+002F SOLIDUS character (/). The various strings in
+ <var title="">protocols</var> must all be non-empty strings with
characters in the range U+0021 to U+007E, and must all be unique. <a
href="#refsORIGIN">[ORIGIN]</a></p>

Added as r18
@@ -82194,6 +82236,16 @@
considered a non-HTTP API for the purpose of cookie
processing.</p>

+ <p>When one or more HTTP headers are to be added to <var
+ title="">fields</var> for this step, each header must be added
+ separately, and each header must be added as one entry consisting
+ of the header's name in its canonical case, followed by a U+003A
+ COLON character (:) and a U+0020 SPACE character, followed by the
+ value with no use of continuation lines (i.e. containing no U+000A
+ LINE FEED characters).</p>
+
+ <!-- (Cookie headers only use one header for multiple cookies.) -->
+
<!--(v2-ws-auth)
<div class="example">

r19
@@ -82398,6 +82452,7 @@

</li>

+<!--(removed since the next step is even stricter)
<li>

<p>If <var title="">code</var> is not three bytes long, or if any

r19
@@ -82406,6 +82461,7 @@
these steps.</p>

</li>
+-->

<li>

r19
@@ -82380,8 +82432,10 @@

<p>If <var title="">field</var> is not at least seven bytes long,
or if the last two bytes aren't 0x0D and 0x0A respectively, or if
- it does not contain at least two 0x20 bytes, then <span>fail the
- WebSocket connection</span> and abort these steps.</p>
+ <var title="">field</var> contains any 0x0D bytes other than the
+ penultimate byte, or if <var title="">field</var> does not contain
+ at least two 0x20 bytes, then <span>fail the WebSocket
+ connection</span> and abort these steps.</p>

<p>User agents may apply a timeout to this step, <spa




r20
@@ -82463,7 +82519,7 @@

<dl class="switch">

- <dt>If the byte is 0x0D (ASCII CR)</dt>
+ <dt>If the byte is 0x0D (UTF-8 CR)</dt>

<dd>If the <var title="">name</var> byte array is empty, then
jump to the <a href="#ws-ua-fields-processing">fields

r20
@@ -82471,18 +82527,18 @@
connection</span> and abort these steps.</dd>


- <dt>If the byte is 0x0A (ASCII LF)</dt>
+ <dt>If the byte is 0x0A (UTF-8 LF)</dt>

<dd><span>Fail the WebSocket connection</span> and abort these
steps.</dd>


- <dt>If the byte is 0x3A (ASCII :)</dt>
+ <dt>If the byte is 0x3A (UTF-8 :)</dt>

<dd>Move on to the next step.</dd>


- <dt>If the byte is in the range 0x41 to 0x5A (ASCII A-Z)</dt>
+ <dt>If the byte is in the range 0x41 to 0x5A (UTF-8 A-Z)</dt>

<dd>Append a byte whose value is the byte's value plus 0x20 to
the <var title="">name</var> byte array and redo this step for

r20
@@ -82497,8 +82553,8 @@
</dl>

<p class="note">This reads a field name, terminated by a colon,
- converting upper-case ASCII letters to lowercase, and aborting if
- a stray CR or LF is found.</p>
+ converting upper-case letters in the range A-Z to lowercase, and
+ aborting if a stray CR or LF is found.</p>

</li>

r20
@@ -82525,17 +82581,17 @@

<dl class="switch">

- <dt>If the byte is 0x20 (ASCII space) and <var title="">count</var>
equals 1</dt>
+ <dt>If the byte is 0x20 (UTF-8 space) and <var title="">count</var>
equals 1</dt>

<dd>Ignore the byte and redo this step for the next byte.</dd>


- <dt>If the byte is 0x0D (ASCII CR)</dt>
+ <dt>If the byte is 0x0D (UTF-8 CR)</dt>

<dd>Move on to the next step.</dd>


- <dt>If the byte is 0x0A (ASCII LF)</dt>
+ <dt>If the byte is 0x0A (UTF-8 LF)</dt>

<dd><span>Fail the WebSocket connection</span> and abort these
steps.</dd>

r20
@@ -82558,7 +82614,8 @@
<p>Read a byte from the server.</p>

<p>If the connection closes before this byte is received, or if
- the byte is not a 0x0A byte (ASCII LF), then <span>fail the WebSocket
connection</span> and abort these steps.</p>
+ the byte is not a 0x0A byte (UTF-8 LF), then <span>fail the
+ WebSocket connection</span> and abort these steps.</p>

<p class="note">This skips past the LF byte of the CRLF after the
field.</p>

r20
@@ -82587,13 +82644,16 @@
<p><i>Fields processing</i>: Read a byte from the server.</p>

<p>If the connection closes before this byte is received, or if
- the byte is not a 0x0A byte (ASCII LF), then <span>fail the WebSocket
connection</span> and abort these steps.</p>
+ the byte is not a 0x0A byte (UTF-8 LF), then <span>fail the
+ WebSocket connection</span> and abort these steps.</p>

<p class="note">This skips past the LF byte of the CRLF after the
blank line after the fields.</p>

</li>

+ <li><p>Let the <var title="">list of cookies</var> be empty.</p></li>
+
<li>

<p>

r21
@@ -82629,9 +82689,9 @@
<dt>If the entry's name is "<code
title="http-upgrade">upgrade</code>"</dt>

- <dd><p>If the value is not exactly equal to the string
- "WebSocket", then <span>fail the WebSocket connection</span> and
- abort these steps.</p></dd>
+ <dd><p>If the value, <span>converted to ASCII lowercase</span>,
+ is not exactly equal to the string "websocket", then <span>fail
+ the WebSocket connection</span> and abort these steps.</p></dd>


<dt>If the entry's name is "<code

r21
@@ -82690,8 +82750,9 @@
<dd>

<p>If the relevant specification is supported by the user agent,
- handle the cookie as defined by the appropriate specification,
- with the resource being the one with the host <var
+ add the cookie, interpreted as defined by the appropriate
+ specification, to the <var title="">list of cookies</var>, with
+ the resource being the one with the host <var
title="">host</var>, the port <var title="">port</var>, the path
(and possibly query parameters) <var title="">resource
name</var>, and the scheme <code title="">http</code> if <var

r21
@@ -82708,6 +82769,11 @@
<p>If the relevant specification is not supported by the user
agent, then the field must be ignored.</p>

+ <p class="note">The cookies added to the <var title="">list of
+ cookies</var> are discarded if the connection fails to be
+ established. Only if and when the connection is established do
+ the cookies actually get applied.</p>
+
</dd>

***** This text is relating to a portion of the specification
(redirects/location: header) that is no longer in the spec *****
@@ -82764,6 +82830,9 @@
<li><p>Close the connection if the server has not already done
so.</p></li>

+ <li><p><span>Apply the cookies</span> in the <var title="">list
+ of cookies</var>.</p></li>
+
<li><p>Jump back to the first step of the overall algorithm
(the very top of the handshake).</p></li>

***** ditto -- not in the spec *****
@@ -82794,19 +82863,24 @@
<dt>If the entry's name is "<code
title="">www-authenticate</code>"</dt>

- <dd><p>Obtain credentials in a manner consistent with the
- requirements for handling the <code>WWW-Authenticate</code>
- header in HTTP, and then close the connection (if the server has
- not already done so) and jump back to the step labeled
- <i>connect</i>, including the relevant authentication headers in
- the new request.
+ <dd>
+
+ <p><span>Apply the cookies</span> in the <var title="">list of
+ cookies</var>, then obtain credentials in a manner consistent
+ with the requirements for handling the
+ <code>WWW-Authenticate</code> header in HTTP, and then close
+ the connection (if the server has not already done so) and jump
+ back to the step labeled <i>connect</i>, including the relevant
+ authentication headers in the new request.
--><!--END complete--><!--END epub--><!--
- <a href="#refsRFC2616">[RFC2616]</a>
+ <a href="#refsRFC2616">[RFC2616]</a>
--><!--START complete--><!--START epub--><!--END websocket-protocol--><!--
- <a href="#refsHTTP">[HTTP]</a>
+ <a href="#refsHTTP">[HTTP]</a>
--><!--START websocket-protocol--><!--
- </p></dd>
+ </p>

+ </dd>
+
<dt>Any other name</dt>

<dd>Ignore it.</dd>

r22
@@ -82847,7 +82921,7 @@

<p class="example">Using the examples given earlier, this leads to
the 16 bytes 0x30 0x73 0x74 0x33 0x52 0x6C 0x26 0x71 0x2D 0x32
- 0x5A 0x55 0x5E 0x77 0x65 0x75. In ASCII, these bytes correspond to
+ 0x5A 0x55 0x5E 0x77 0x65 0x75. In UTF-8, these bytes correspond to
the string "0st3Rl&amp;q-2ZU^weu".</p>

</li>

r22
@@ -82871,17 +82945,58 @@

</li>

+ <li><p>If the <var title="">defer cookies</var> flag is not set,
+ <span>apply the cookies</span> in the <var title="">list of
+ cookies</var>.</p></li>
+
<li>

<p>The <dfn>WebSocket connection is established</dfn>. Now the
user agent must send and receive to and from the connection as
described in the next section.</p>

+ <p>If the <var title="">defer cookies</var> flag is set, store the
+ <var title="">list of cookies</var> for use by the component that
+ invoked this algorithm.</p>
+
</li>

</ol>

+ <p>Where the algorithm above requires that a user agent <span>fail
+ the WebSocket connection</span>, the user agent may first read an
+ arbitrary number of further bytes from the connection (and then
+ discard them) before actually <span title="fail the WebSocket
+ connection">failing the WebSocket connection</span>. Similarly, if a
+ user agent can show that the bytes read from the connection so far
+ are such that there is no subsequent sequence of bytes that the
+ server can send that would not result in the user agent being
+ required to <span>fail the WebSocket connection</span>, the user
+ agent may immediately <span>fail the WebSocket connection</span>
+ without waiting for those bytes.</p>

+ <p class="note">The previous paragraph is intended to make it
+ conforming for user agents to implement the algorithm in subtlely
+ different ways that are equivalent in all ways except that they
+ terminate the connection at earlier or later points. For example, it
+ enables an implementation to buffer the entire handshake response
+ before checking it, or to verify each field as it is received rather
+ than collecting all the fields and then checking them as a
+ block.</p>
+
+ <p>When the user agent is to <dfn>apply the cookies</dfn> in a <var
+ title="">list of cookies</var>, it must handle each cookie in the
+ <var title="">list of cookies</var> as defined by the appropriate
+ specification.
+<!--END complete--><!--END epub-->
+ <a href="#refsRFC2109">[RFC2109]</a>
+ <a href="#refsRFC2965">[RFC2965]</a>
+<!--START complete--><!--START epub--><!--END websocket-protocol-->
+ <a href="#refsCOOKIES">[COOKIES]</a>
+<!--START websocket-protocol-->
+ </p>
+
+
<h6>Data framing</h6>

<p>Once a <span>WebSocket connection is established</span>, the user


**** dead text *****
@@ -82986,8 +83101,14 @@

</ol>

- <p>Otherwise, let <var title="">error</var> be true.</p>
+ </li>

+ <li>
+
+ <p>Otherwise, if the <var title="">frame type</var> is not
+ 0xFF or if the <var title="">length</var> was not 0, let <var
+ title="">error</var> be true.</p>
+
</li>

</ol>

**** dead text *****
@@ -83096,9 +83217,10 @@

</ol>

- <p class="note">The closing handshake <span title="the WebSocket
- closing handshake has finished">finishes</span> once the server
- returns the 0xFF packet, as described above.</p>
+ <p class="note">If the user agent initiates it, the closing
+ handshake <span title="the WebSocket closing handshake has
+ finished">finishes</span> once the server returns the 0xFF frame, as
+ described above.</p>

<hr>

r23
@@ -83125,7 +83247,25 @@

<p><i>This section only applies to servers.</i></p>

+ <p>Servers may offload the management of the connection to other
+ agents on the network, for example load balancers and reverse
+ proxies. In such a situation, the server for the purposes of
+ conformance is considered to include all parts of the server-side
+ infrastructure from the first device to terminate the TCP connection
+ all the way to the server that processes requests and sends
+ responses.</p>

+ <div class="example">
+
+ <p>For example, a data center might have a server that responds to
+ Web Socket requests with an appropriate handshake, and then passes
+ the connection to another server to actually process the data
+ frames. For the purposes of this specification, the "server" is the
+ combination of both computers.</p>
+
+ </div>
+
+
<h6>Reading the client's opening handshake</h6>

<p>When a client starts a WebSocket connection, it sends its part of

r24
@@ -83355,7 +83495,10 @@
requests to multiple hosts (e.g. in a virtual hosting
environment), then the value should be derived from the client's
handshake, specifically from the "<code
- title="http-host">Host</code>" field.</dd>
+ title="http-host">Host</code>" field. The <var
+ title="">host</var> value must be lowercase (not containing
+ characters in the range U+0041 LATIN CAPITAL LETTER A to U+005A
+ LATIN CAPITAL LETTER Z).</dd>

<dt><var title="">port</var></dt>


r25
@@ -83560,7 +83703,7 @@

<p class="example">In the example above, this would be the 16
bytes 0x6E 0x60 0x39 0x65 0x42 0x6B 0x39 0x7A 0x24 0x52 0x38 0x70
- 0x4F 0x74 0x56 0x62, or "n`9eBk9z$R8pOtVb" in ASCII.
+ 0x4F 0x74 0x56 0x62, or "n`9eBk9z$R8pOtVb" in UTF-8.

</li>

r25
@@ -83640,7 +83783,7 @@

<li>

- <p>Send two bytes 0x0D 0x0A (ASCII CRLF).</p>
+ <p>Send two bytes 0x0D 0x0A (UTF-8 CRLF).</p>

</li>


r26
@@ -83655,9 +83798,9 @@
<p>This completes the server's handshake. If the server finishes
these steps without <span title="abort the WebSocket
connection">aborting the WebSocket connection</span>, and if the
- client does not then <span>fail the connection</span>, then the
- connection is established and the server may begin and receiving
- sending data, as described in the next section.</p>
+ client does not then <span>fail the WebSocket connection</span>,
+ then the connection is established and the server may begin and
+ receiving sending data, as described in the next section.</p>


**** dead text ***
@@ -83801,7 +83944,9 @@
<hr>

<p>At any time, the server may decide to terminate the WebSocket
- connection by running through the following steps:</p>
+ connection by running through the following steps. These steps
+ should be run when the <var title="">client terminated</var> flag is
+ set, if they aren't already running.</p>

<ol>


*** irrelevant***
@@ -83903,7 +84048,6 @@
connection</span> arbitrarily.</p>


-
<h5>Security considerations</h5>

<p>While this protocol is intended to be used by scripts in Web


http://html5.org/tools/web-apps-tracker?from=5241&to=5244
Most of this did not apply as it was all framing. I applied the following in
r27

@@ -82946,8 +82937,8 @@
<li>

<p>Let <var title="">key₃</var> be a string consisting
- of eight random bytes (or equivalently, a random 64 bit integer
- encoded in big-endian order).</p>
+ of eight random bytes (or equivalently, a random 64 bit unsigned
+ integer encoded in big-endian order).</p>

<p class="example">For example, 0x47 0x30 0x22 0x2D 0x5A 0x3F 0x47
0x58.</p>
I really want to add this in (NPN), but there has been enough discussion
about the state of NPN and the fact that it's not yet a recommendation that
I am leaving this out for now pending further discussion.
ditto, pending more NPN discussion.

we can add this - "The frame-more bit MUST NOT be used on any frame with
a 0 application data length." Would you like to propose that (or other)
text?

The zero-chunk on the end might be necessary if the sender didn't know
there wouldn't be more fragments when it sent the last one.

Then how do we get real world data? Should everyone go modify Firefox
or Chrome themselves and run against only their servers to see how it
works?

Tell me about it!
We tried initially just to support v75 waiting for a sane v00, but
users were having problems. So we switched to v76 and got howls of
despair from v75 users.
So now Jetty supports both and we use the presence of Sec headers to
pick between v75 and v76 implementations.

I don't know of any wide deployments of the server, but I do know that
those experimenting with it have other constraints that prevent them
arbitrarily changing browsers at the same time they upgrade their
servers.
Exactly - currently there is no change in the handshake for 01 draft,
so I will have to inspect the first packet and guess. Of course that
does not work if the server sends the first packet.
thanks!

+1. Adam, I share your concerns about versions on the web, but the reality
is there is no other way right now. Suggestions welcome as to alternatives.

Speaking with my SMTP developer hat on, I don't follow Willy how this
is a problem.

Many MTA already trap and count unknown commands. If the first command
is POST, you can reject the client immediately or prevent it from
going into the next state until it issues QUIT or drop the line for
excessive out of state commands.

Not versioning requires an implementor to make the same really hard
choices, plus the added complexity of trying to figure out which
version of the protocol the other version is speaking.

Once we get to the final version of the spec, I am fine with leaving
out a formal version identifier, and then when we get to the point of
wanting to add some non-backwards-compatible feature we can have the
discussion about adding versioning then.

However, I remain totally convinced that we have to have some version
identifier in the draft protocol, so we can tell different versions of
the draft apart. We already have mutually incompatible
implementations in the wild, and having to come up with heuristics to
detect each new version that might be out there is going to get more
and more problematic.

To put it another way, versioning is for flag days, whereas feature
negotiation is for, well, negotiating features.

An example of a protocol with both is XMPP. It has a version, which
is always 1.0. It also has stream features for peer-to-peer feature
negotiation.

Jabber, its predecessor, had no version - but it also lacked the
feature negotiation. Essentially, XMPP's version indicates to the
receiver that it's okay to announce what features you offer.

So in our release protocol, I'd say we SHOULD NOT have a version, but
we MAY have a static, never to be changed, version.

For now, though, when we're quite likely to want to change our
feature negotiation mechanisms, we probably MUST have a version.

The key item is not that versions are bad, but that *changing* them
is.

Dave.

+1

HTTP servers deployed in the wild stills sees a significant proportion
of HTTP/1.0 traffic, but mostly HTTP/1.1. There is still even a few
HTTP/0.9 (== no version) requests, but those are mostly me using
telnet to get a REST resource (because I can't remember the args to
curl).

The difference in protocol behaviour between these 3 versions is
significant and it would be neigh impossible for a server to service
the variety of clients deployed without a version. Supporting 3
versions of the protocol does complicate the server, but there is no
other choice as you cannot force web clients to upgrade (nor me to
remember the args to curl)

The only time I've had real problems with different dialects of HTTP
was during the change from rfc2068 to rfc2616, both of which said they
were HTTP/1.1 (why not HTTP/1.2? So maybe now, years later it
is great they we don't have to maintain 2068 support, but that was
only lucky as there was not wide deployment of rfc2068 clients.

cheers

Hello Adam,
This is indeed discouraging. TLS server side implementers seem to be
rather challenged. For a security-related protocol, that's rather bad
indeed. I very much hope WS implementers can do a better job.
Of course browsers do matter. But servers do matter, too.
Of course the browser implementation experience is highly relevant! But
that doesn't mean that necessarily the browser implementation experience
with HTML (or TLS) is relevant to pre-RFC WS implementations.

The way I understand it, there are three things that could potentially
be versioned:

- Handshake
- Framing
- Extensions


Of these, the handshake is versioned almost by definition (though not
with an explicit number), given that a change of the handshake means
different header field names (I guess there's very wide agreement that
it would be extremely dumb to keep the same header field names with
different semantics).


The framing is where versioning has been proposed, but it is very
important to note that this is only for when the framing actually
changes. As soon as the framing is 'baked', I think there's wide
agreement that there is no need for versioning. Frankly speaking, I'd
also prefer to have *some* kind of indication of whether the first few
bits of a frame are a length or a frame type or what, even if that
doesn't have to be called a version number.


For extensions, as far as I understand, there is no proposal for
versioning in the sense that there is no plan to bundle certain
extensions under a certain version number. (there may be some base
protocol features (maybe multiplexing could be one of these, we don't
know yet) that are implemented by using the extension mechanism, but
that's a separate matter).


There is of course the possibility for each extension (as well as for
each subprotocol) to do versioning as they please (which hopefully will
mean as little as possible.


So overall, it seems to be that the browser experience of "be careful,
versioning, it may not work as well as you might think" is very much heeded.


Also, versioning has been requested for framing, and in particular for
the first few bits/bytes of framing. Squeezing information tightly into
bytes creates a different context with respect to versioning than a
textual protocol with lots of redundancy such as HTML.
Yes, indeed. The version number would only be changed if there were some
very basic changes in the protocol. The tremendous difficulty isn't so
much coming from a fundamental problem with versioning (if there indeed
were some very basic protocol changes, there would probably be wide
agreement with changing the version number) but from the fact that
nobody currently is interested in very basic changes in the HTTP
protocol (if you exclude this group :-).

In a similar way, it seems the big majority of contributors on this list
agree that the version number (or the absence of a version number)
should not change in a very, very long time *once the WS protocol, and
in particular the framing part, is baked*.


In some ways, this reminds me of the AtomPub WG. It kept the version
number at 0.3 while working on the spec. Everybody knew in advance that
the final version would be version 1.0. That way, it tried to make sure
that it had one shot at a clean spec, and reduced feature creep and
early lock-in. I don't know how successful that were.


Regards, Martin.