At the end of November 2010 security researchers Adam Barth, David Huang, Eric Chen, Eric Rescorla and Collin Jackson published a paper outlining a serious security vulnerability in the WebSocket handshake.
The flaw allowed potential attackers to replace for example widely used JavaScript files like the Google analytics script with a malicious file inside a cache.
As a result of the announcement both Mozilla and Opera dropped WebSocket support from their respective browsers until a fix was available.
The current WebSocket specification is at version 10 and has entered the last-call period before which it becomes a standard. The handshake flaw has been fixed since version 7.
Mozilla implemented the specification's version 07 in its upcoming Firefox 6 browser while Chrome just upgraded its WebSocket support for version 10.
"We’ve updated Chromium to support the latest version (draft-ietf-hybi-thewebsocketprotocol-10) on the dev channel (14.0.835.2)" Google software engineer Takeshi Yoshino announced.
"Given that the specification is now in last-call and and no further breaking changes are expected it should now be safe to use WebSockets for production application development" he added.
The new version of the protocol introduces additional features such as support for binary message and compression however it is not backwards compatible with the original implementation.
This means servers that wish to support future Chrome clients should update their WebSocket version to 10. "Existing JavaScript code still works once the protocol version used by the browser and server match" Yoshino explains.
The new implementation allows web coders to determine which version is supported by the browser through a header called Sec-WebSocket-Version. This header is missing from the protocol's previous versions but it should have a value of 8 for the current Chrome implementation.
0 comments:
Post a Comment