A quick update on WebSocket: It looks like the latest WebSocket spec (RFC 6455) addresses the security issues. The current PhoneGap branch that is a year old contains WebSocket.java that only offers the the older insecure Draft 75 and Draft 76 WebSocket protocols. I did some searching around and found the original source of WebSocket.java. The author is Nathan Rajlich and it so happens that his Java-WebSocket project is being actively developed. The project is at http://java-websocket.org/ and the repository is here git://github.com/TooTallNate/Java-WebSocket I've reviewed the code and this newer version has WebSocket protocol options for not only the original Drafts 75 and 76 but also Hybi 10 and Hybi 17. Hybi 17 is identical to the protocol defined by RFC 6455 which was released in December 2011. I'm checking with Nate to see if he sees any problems with using his code (currently licensed under MIT)
So what that means is if we incorporate Java-WebSocket into Cordova Android it should be pretty straightforward and the security issues should then be resolved. On Wed, Feb 29, 2012 at 3:25 PM, Bryce Curtis <[email protected]> wrote: > The issue is discussed http://davidwalsh.name/websocket-security and > http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool-for.html > . > > It has been fixed in the latest spec ( > http://tools.ietf.org/html/rfc6455#page-50), so it's a matter of using a > client/server that is compliant. > > On Wed, Feb 29, 2012 at 10:31 AM, Filip Maj <[email protected]> wrote: >
