[Libwebsockets] Behaviour when server masks?

Andy Green andy at warmcat.com
Wed Nov 10 18:36:29 CET 2021

On 11/10/21 17:28, Felipe Gasper wrote:
>> On Nov 10, 2021, at 11:30, Andy Green <andy at warmcat.com> wrote:
>> On 11/10/21 15:47, Felipe Gasper wrote:
>>> Hi Andy et al.,
>>> 	I was recently writing some tests against Net::Libwebsockets and noticed that, when the server sends a masked frame, LWS as client doesn’t trigger a 1002 failure as RFC 6455 mandates (5.1).
>>> 	Is this an intended divergence from the specification?
>> It was a long time ago, but as I recall since there's a bit telling whether to use the mask, it didn't seem important.  I guess the idea is they didn't want any divergence between what an intermediary may see who ignores or doesn't ignore the server-side mask, and what the endpoint sees who may have a different plan about the serverside mask bit observance if it wasn't strictly specified.
> Yeah I think the masking in general is a bit “quaint” since TLS is so widespread now. Still, it’s what’s there, and I’ve seen other clients behave accordingly.

They did have a rationale, that you shouldn't be able to get JS in a 
browser to be able to connect and craft what went on the wire... that's 
why it's on client -> server side particularly.

But attackers have to pass the http -> ws upgrade hs before they could 
issue any ws protocol payload anyway, which is designed to be 
incompatible with anything you might try to attack; I voted against it 
since it meant you couldn't have const or reusable-in-place payloads, 
but it carried the day.

>> Does this help?
>> https://libwebsockets.org/git/libwebsockets/commit?id=7a9cd6a4755e73cf610362d3b76ec4ef9b821e5d
> Yes, thank you!

Great, I'll push it probably tomorrow.


> -FG

More information about the Libwebsockets mailing list