[Libwebsockets] Behaviour when server masks?
Andy Green
andy at warmcat.com
Wed Nov 10 18:36:29 CET 2021
On 11/10/21 17:28, Felipe Gasper wrote:
>
>> On Nov 10, 2021, at 11:30, Andy Green <andy at warmcat.com> wrote:
>>
>> On 11/10/21 15:47, Felipe Gasper wrote:
>>> Hi Andy et al.,
>>> I was recently writing some tests against Net::Libwebsockets and noticed that, when the server sends a masked frame, LWS as client doesn’t trigger a 1002 failure as RFC 6455 mandates (5.1).
>>> Is this an intended divergence from the specification?
>>
>> It was a long time ago, but as I recall since there's a bit telling whether to use the mask, it didn't seem important. I guess the idea is they didn't want any divergence between what an intermediary may see who ignores or doesn't ignore the server-side mask, and what the endpoint sees who may have a different plan about the serverside mask bit observance if it wasn't strictly specified.
>
> Yeah I think the masking in general is a bit “quaint” since TLS is so widespread now. Still, it’s what’s there, and I’ve seen other clients behave accordingly.
They did have a rationale, that you shouldn't be able to get JS in a
browser to be able to connect and craft what went on the wire... that's
why it's on client -> server side particularly.
But attackers have to pass the http -> ws upgrade hs before they could
issue any ws protocol payload anyway, which is designed to be
incompatible with anything you might try to attack; I voted against it
since it meant you couldn't have const or reusable-in-place payloads,
but it carried the day.
>> Does this help?
>>
>> https://libwebsockets.org/git/libwebsockets/commit?id=7a9cd6a4755e73cf610362d3b76ec4ef9b821e5d
>
> Yes, thank you!
Great, I'll push it probably tomorrow.
-Andy
> -FG
>
More information about the Libwebsockets
mailing list