The solution to that problem that is now defined in the websocket standard is discussed in section 10.3 of the standard. In short, it is to "mask all data from the client to the server, so that the remote script (attacker) does not have control over how the data being sent appears on the wire, and thus cannot construct a message that could be misinterpreted by an intermediary as an HTTP request."
Refer to the standard itself if you want more detail: http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-14#section-10.3 ________________________________ Från: Mark T <[email protected]> Till: [email protected] Skickat: fredag, 9 september 2011 9:21 Ämne: Re: SV: [svg-developers] Websockets, explained Last I knew of the webSockets security issue it was a specification-level vuln. In that intermediate caches could be poisoned. Such that traffic could be re-directed or intercepted. Have not tracked it close enough to be more specific. I find eJabberd + strophe a working technique. Difference is likely to be if sending messages, then xmpp. Sending raw data, webSockets. <<-----------??? MarkT [Non-text portions of this message have been removed] [Non-text portions of this message have been removed] ------------------------------------ ----- To unsubscribe send a message to: [email protected] -or- visit http://groups.yahoo.com/group/svg-developers and click "edit my membership" ----Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/svg-developers/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/svg-developers/join (Yahoo! ID required) <*> To change settings via email: [email protected] [email protected] <*> To unsubscribe from this group, send an email to: [email protected] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
