On 01/12/2014 21:52, Rémy Maucherat wrote: > 2014-12-01 22:00 GMT+01:00 Mark Thomas <ma...@apache.org>: > >> This is an improvement since it is not just the scheme, host and port >> but it still reflects the connection being made to WebSocket rather than >> the Origin of the request. I don't see how the WebSocketContainer can >> possibly determine what the origin is. It has to rely on a user provided >> value. >> >> Also, I don't see anything in either RFC6455 or the Java WebSocket >> specification that says that the origin header is mandatory. >> > > The user has the opportunity to set its origin header, but having an origin > seems mandatory enough to me right now.
What is the basis for stating that the origin header is mandatory? If it is a specification then please provide a reference. If it is deduced from the behaviour of the TCK then any test making such an assumption is, in my view, invalid and needs to be challenged. My reasoning for this is as follows: - I am not aware of any requirement to provide an origin header in RFC 6455. - I am not aware of any requirement to provide an origin header in the Java WebSocket specification version 1.0 or 1.1. - The client library has no way to determine what the correct origin header may be. - There are many use cases - e.g. stand-alone Java application - where an origin header makes no sense. > Anything you don't like can be wrapped inside the strict flag. This isn't an appropriate place to use the strict flag. This isn't the result of a strict reading of the specification requiring a feature that most users will never need that has a negative impact (e.g. on performance). This is something that that is just plain wrong [1] and should not be in the code in any form. Assuming that this is coming from testing with the TCK, I'd like to see the results of challenging the affected tests (ideally with the discussion on the EG as a result of that challenge) before making any final decision on what the behaviour should be regarding the creation of a default origin header. Mark [1] Show me a specification reference that requires this and I'll happily change my position. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
