New WebSocket Protocol: Secure and Extensible

Monday, August 01, 2011

Labels:

The WebSocket protocol specification is now largely stable, having solved previous security concerns. As such, we’ve updated Chromium to support the latest version (draft-ietf-hybi-thewebsocketprotocol-10) on the dev channel (14.0.835.2). Given that the specification is now in “last-call” and and no further breaking changes are expected, it should now be safe to use WebSockets for production application development.

Please note that the new protocol is incompatible with one which Chromium previously supported (draft-ietf-hybi-thewebsocketprotocol-00), so existing WebSocket-based services may break. Please upgrade your servers to ones which support HyBi 10. Existing JavaScript code still works once the protocol version used by the browser and server match.

The new protocol introduces some exciting new features like binary message support and compression support, but these are not quite ready yet in Chrome and will come shortly - hang tight!

See the specs and discussion at W3C and WHATWG (spec, whatwg list) and IETF (spec, HyBi list) for more detail about the new protocol.

We’re more than happy to hear your feedback, and encourage you to file any bugs you find on our issue tracker.

Posted by Takeshi Yoshino, Software Engineer

6 comments:

tracker1 said...

Is part of the protocol the ability to query which version is implemented in the browser? How would one determine that an older version was in use?

August 1, 2011 6:36 PM

Ian Fette said...

Yes, this can be determined from the Sec-WebSocket-Version header in current versions of the protocol. In previous versions of the protocol (e.g. in 76) this header is absent. In the current version the value of this header will be 8 (-9 and -10 did not change the protocol in any meaningful way, and were more clarifications / editorial so the version number did not change.)

August 1, 2011 7:12 PM

Thijs said...

Curious to see how fast this is picked up by other major browsers! Good work!

August 2, 2011 2:56 AM

Boris said...

Thijs, Mozilla is shipping websocket in Firefox 6, going stable in 2 weeks or so. Prefixed, though, since the API spec is completely unstable so far.

Which makes me wonder about the original post. "Last Call" doesn't mean the spec is stable. "Candidate Recommendation" would mean that. And traditionally things that are not Candidate Recommendation yet are NOT shipped unprefixed... Is Chrome prefixing its websocket API?

August 2, 2011 6:50 AM

Deo eτ Paτria said...

I've turned off WebGl because isn't safe. Can I turn off this too? Is there an option to remove it entirely from my browser?

August 2, 2011 10:11 AM

V-Pills said...

When published firefox6?

August 2, 2011 11:14 PM

Post a Comment

Subscribe to: Post Comments (Atom)