draft-ietf-httpbis-h2-websockets-06.txt   draft-ietf-httpbis-h2-websockets-07.txt 
HTTP P. McManus HTTP P. McManus
Internet-Draft Mozilla Internet-Draft Mozilla
Updates: 6455 (if approved) May 31, 2018 Updates: 6455 (if approved) June 18, 2018
Intended status: Standards Track Intended status: Standards Track
Expires: December 2, 2018 Expires: December 20, 2018
Bootstrapping WebSockets with HTTP/2 Bootstrapping WebSockets with HTTP/2
draft-ietf-httpbis-h2-websockets-06 draft-ietf-httpbis-h2-websockets-07
Abstract Abstract
This document defines a mechanism for running the WebSocket Protocol This document defines a mechanism for running the WebSocket Protocol
(RFC 6455) over a single stream of an HTTP/2 connection. (RFC 6455) over a single stream of an HTTP/2 connection.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 2, 2018. This Internet-Draft will expire on December 20, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 2, line 17
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The SETTINGS_ENABLE_CONNECT_PROTOCOL SETTINGS Parameter . . . 3 3. The SETTINGS_ENABLE_CONNECT_PROTOCOL SETTINGS Parameter . . . 3
4. The Extended CONNECT Method . . . . . . . . . . . . . . . . . 4 4. The Extended CONNECT Method . . . . . . . . . . . . . . . . . 4
5. Using Extended CONNECT To Bootstrap the WebSocket Protocol . 4 5. Using Extended CONNECT To Bootstrap the WebSocket Protocol . 4
5.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5 5.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5
6. Design Considerations . . . . . . . . . . . . . . . . . . . . 6 6. Design Considerations . . . . . . . . . . . . . . . . . . . . 6
7. About Intermediaries . . . . . . . . . . . . . . . . . . . . 6 7. About Intermediaries . . . . . . . . . . . . . . . . . . . . 6
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 10. Normative References . . . . . . . . . . . . . . . . . . . . 7
10.1. Normative References . . . . . . . . . . . . . . . . . . 7
10.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
The Hypertext Transfer Protocol (HTTP) [RFC7230] provides compatible The Hypertext Transfer Protocol (HTTP) [RFC7230] provides compatible
resource-level semantics across different versions but it does not resource-level semantics across different versions but it does not
offer compatibility at the connection management level. Other offer compatibility at the connection management level. Other
protocols, such as WebSockets, that rely on connection management protocols, such as WebSockets, that rely on connection management
details of HTTP must be updated for new versions of HTTP. details of HTTP must be updated for new versions of HTTP.
The WebSocket Protocol [RFC6455] uses the HTTP/1.1 Upgrade mechanism The WebSocket Protocol [RFC6455] uses the HTTP/1.1 Upgrade mechanism
(Section 6.7 of [RFC7230]) to transition a TCP connection from HTTP (Section 6.7 of [RFC7230]) to transition a TCP connection from HTTP
into a WebSocket connection. A different approach must be taken with into a WebSocket connection. A different approach must be taken with
HTTP/2 [RFC7540]. HTTP/2 does not allow connection-wide headers and HTTP/2 [RFC7540]. HTTP/2 does not allow connection-wide header
status codes such as the Upgrade and Connection request headers or fields and status codes such as the Upgrade and Connection request
the 101 response code due to its multiplexing nature. These are all header fields or the 101 (Switching Protocols) response code due to
required by the [RFC6455] opening handshake. its multiplexing nature. These are all required by the [RFC6455]
opening handshake.
Being able to bootstrap WebSockets from HTTP/2 allows one TCP Being able to bootstrap WebSockets from HTTP/2 allows one TCP
connection to be shared by both protocols and extends HTTP/2's more connection to be shared by both protocols and extends HTTP/2's more
efficient use of the network to WebSockets. efficient use of the network to WebSockets.
This document extends the HTTP CONNECT method (as specified for This document extends the HTTP CONNECT method (as specified for
HTTP/2 in Section 8.3 of [RFC7540]). The extension allows the HTTP/2 in Section 8.3 of [RFC7540]). The extension allows the
substitution of a new protocol name to connect to rather than the substitution of a new protocol name to connect to rather than the
external host normally used by CONNECT. The result is a tunnel on a external host normally used by CONNECT. The result is a tunnel on a
single HTTP/2 stream that can carry data for WebSockets (or any other single HTTP/2 stream that can carry data for WebSockets (or any other
skipping to change at page 3, line 42 skipping to change at page 3, line 42
client MAY use the Extended CONNECT definition of this document when client MAY use the Extended CONNECT definition of this document when
creating new streams. Receipt of this parameter by a server does not creating new streams. Receipt of this parameter by a server does not
have any impact. have any impact.
A sender MUST NOT send a SETTINGS_ENABLE_CONNECT_PROTOCOL parameter A sender MUST NOT send a SETTINGS_ENABLE_CONNECT_PROTOCOL parameter
with the value of 0 after previously sending a value of 1. with the value of 0 after previously sending a value of 1.
The use of a SETTINGS Parameter to opt-in to an otherwise The use of a SETTINGS Parameter to opt-in to an otherwise
incompatible protocol change is a use of "Extending HTTP/2" defined incompatible protocol change is a use of "Extending HTTP/2" defined
by Section 5.5 of [RFC7540]. Specifically, the addition a new by Section 5.5 of [RFC7540]. Specifically, the addition a new
pseudo-header ":protocol" and the change in meaning of the pseudo-header field ":protocol" and the change in meaning of the
":authority" pseudo-header in Section 4 require opt-in negotiation. ":authority" pseudo-header field in Section 4 require opt-in
If a client were to use the provisions of the extended CONNECT method negotiation. If a client were to use the provisions of the extended
defined in this document without first receiving a CONNECT method defined in this document without first receiving a
SETTINGS_ENABLE_CONNECT_PROTOCOL parameter, a non-supporting peer SETTINGS_ENABLE_CONNECT_PROTOCOL parameter, a non-supporting peer
would detect a malformed request and generate a stream error would detect a malformed request and generate a stream error
(Section 8.1.2.6 of [RFC7540]). (Section 8.1.2.6 of [RFC7540]).
4. The Extended CONNECT Method 4. The Extended CONNECT Method
Usage of the CONNECT method in HTTP/2 is defined by Section 8.3 of Usage of the CONNECT method in HTTP/2 is defined by Section 8.3 of
[RFC7540]. This extension modifies the method in the following ways: [RFC7540]. This extension modifies the method in the following ways:
o A new pseudo-header :protocol MAY be included on request HEADERS o A new pseudo-header field :protocol MAY be included on request
indicating the desired protocol to be spoken on the tunnel created HEADERS indicating the desired protocol to be spoken on the tunnel
by CONNECT. The pseudo-header is single valued and contains a created by CONNECT. The pseudo-header field is single valued and
value from the HTTP Upgrade Token Registry located at contains a value from the HTTP Upgrade Token Registry located at
https://www.iana.org/assignments/http-upgrade-tokens/http-upgrade- https://www.iana.org/assignments/http-upgrade-tokens/http-upgrade-
tokens.xhtml [1]. tokens.xhtml
o On requests bearing the :protocol pseudo-header, the :scheme and o On requests that contain the :protocol pseudo-header field, the
:path pseudo-header fields MUST be included. :scheme and :path pseudo-header fields of the target URI (See
Section 5) MUST also be included.
o On requests bearing the :protocol pseudo-header, the :authority o On requests bearing the :protocol pseudo-header field, the
pseudo-header field is interpreted according to Section 8.1.2.3 of :authority pseudo-header field is interpreted according to
[RFC7540] instead of Section 8.3 of [RFC7540]. In particular the Section 8.1.2.3 of [RFC7540] instead of Section 8.3 of [RFC7540].
server MUST NOT make a new TCP connection to the host and port In particular, the server MUST NOT create a tunnel to the host
indicated by the :authority. indicated by the :authority as it would with a CONNECT method
request that was not modified by this extension.
Upon receiving a CONNECT request bearing the :protocol pseudo-header Upon receiving a CONNECT request bearing the :protocol pseudo-header
the server establishes a tunnel to another service of the protocol field the server establishes a tunnel to another service of the
type indicated by the pseudo-header. This service may or may not be protocol type indicated by the pseudo-header field. This service may
co-located with the server. or may not be co-located with the server.
5. Using Extended CONNECT To Bootstrap the WebSocket Protocol 5. Using Extended CONNECT To Bootstrap the WebSocket Protocol
The pseudo-header :protocol MUST be included in the CONNECT request The :protocol pseudo-header field MUST be included in the CONNECT
and it MUST have a value of "websocket" to initiate a WebSocket request and it MUST have a value of "websocket" to initiate a
connection on an HTTP/2 stream. Other HTTP request and response WebSocket connection on an HTTP/2 stream. Other HTTP request and
headers, such as those for manipulating cookies, may be included in response header fields, such as those for manipulating cookies, may
the HEADERS with the CONNECT method as usual. This request replaces be included in the HEADERS with the CONNECT method as usual. This
the GET-based request in [RFC6455] and is used to process the request replaces the GET-based request in [RFC6455] and is used to
WebSockets opening handshake. process the WebSockets opening handshake.
The scheme of the Target URI (Section 5.1 of [RFC7230]) MUST be The scheme of the target URI (Section 5.1 of [RFC7230]) MUST be
"https" for "wss" schemed WebSockets and "http" for "ws" schemed "https" for "wss" schemed WebSockets and "http" for "ws" schemed
WebSockets. The websocket URI is still used for proxy WebSockets. The remainder of the Target URI is the same as the
autoconfiguration. websocket URI. The websocket URI is still used for proxy
autoconfiguration. The security requirements for the HTTP/2
connection used by this specification are established by [RFC7540]
for https requests and [RFC8164] for http requests.
[RFC6455] requires the use of Connection and Upgrade headers that are [RFC6455] requires the use of Connection and Upgrade header fields
not part of HTTP/2. They MUST NOT be included in the CONNECT request that are not part of HTTP/2. They MUST NOT be included in the
defined here. CONNECT request defined here.
[RFC6455] requires the use of a Host header which is also not part of [RFC6455] requires the use of a Host header field which is also not
HTTP/2. The Host information is conveyed as part of the :authority part of HTTP/2. The Host information is conveyed as part of the
pseudo-header which is required on every HTTP/2 transaction. :authority pseudo-header field which is required on every HTTP/2
transaction.
Implementations using this extended CONNECT to bootstrap WebSockets Implementations using this extended CONNECT to bootstrap WebSockets
do not do the processing of the [RFC6455] Sec-WebSocket-Key and Sec- do not do the processing of the [RFC6455] Sec-WebSocket-Key and Sec-
WebSocket-Accept headers as that functionality has been superseded by WebSocket-Accept header fields as that functionality has been
the :protocol pseudo-header. superseded by the :protocol pseudo-header field.
The Origin [RFC6454], Sec-WebSocket-Version, Sec-WebSocket-Protocol, The Origin [RFC6454], Sec-WebSocket-Version, Sec-WebSocket-Protocol,
and Sec-WebSocket-Extensions headers are used on the CONNECT request and Sec-WebSocket-Extensions header fields are used in the CONNECT
and response headers in the same way as defined in [RFC6455]. Note request and response header fields in the same way as defined in
that HTTP/1 header names were case-insensitive and HTTP/2 requires [RFC6455]. Note that HTTP/1 header field names were case-insensitive
they be encoded as lower case. and HTTP/2 requires they be encoded as lower case.
After successfully processing the opening handshake, the peers should After successfully processing the opening handshake, the peers should
proceed with the WebSocket Protocol [RFC6455] using the HTTP/2 stream proceed with the WebSocket Protocol [RFC6455] using the HTTP/2 stream
from the CONNECT transaction as if it were the TCP connection from the CONNECT transaction as if it were the TCP connection
referred to in [RFC6455]. The state of the WebSocket connection at referred to in [RFC6455]. The state of the WebSocket connection at
this point is OPEN as defined by [RFC6455], Section 4.1. this point is OPEN as defined by [RFC6455], Section 4.1.
The HTTP/2 stream closure is also analogous to the TCP connection of The HTTP/2 stream closure is also analogous to the TCP connection
[RFC6455]. Orderly TCP level closures are represented as END_STREAM closure of [RFC6455]. Orderly TCP level closures are represented as
([RFC7540], Section 6.1) flags and RST exceptions are represented END_STREAM ([RFC7540], Section 6.1) flags and RST exceptions are
with the RST_STREAM ([RFC7540], Section 6.4) frame with the CANCEL represented with the RST_STREAM ([RFC7540], Section 6.4) frame with
([RFC7540], Section 7) error code. the CANCEL ([RFC7540], Section 7) error code.
5.1. Example 5.1. Example
[[ From Client ]] [[ From Server ]] [[ From Client ]] [[ From Server ]]
SETTINGS SETTINGS
SETTINGS_ENABLE_CONNECT_[..] = 1 SETTINGS_ENABLE_CONNECT_[..] = 1
HEADERS + END_HEADERS HEADERS + END_HEADERS
:method = CONNECT :method = CONNECT
:protocol = websocket :protocol = websocket
skipping to change at page 6, line 45 skipping to change at page 6, line 45
A more native integration with HTTP/2 is certainly possible with A more native integration with HTTP/2 is certainly possible with
larger additions to HTTP/2. This design was selected to minimize the larger additions to HTTP/2. This design was selected to minimize the
solution complexity while still addressing the primary concern of solution complexity while still addressing the primary concern of
running HTTP/2 and WebSockets concurrently. running HTTP/2 and WebSockets concurrently.
7. About Intermediaries 7. About Intermediaries
This document does not change how WebSockets interacts with HTTP This document does not change how WebSockets interacts with HTTP
forward proxies. If a client wishing to speak WebSockets connects forward proxies. If a client wishing to speak WebSockets connects
via HTTP/2 to an HTTP proxy it should continue to use a traditional via HTTP/2 to an HTTP proxy it should continue to use a traditional
(i.e. not with a :protocol pseudo-header) CONNECT to tunnel through (i.e. not with a :protocol pseudo-header field) CONNECT to tunnel
that proxy to the WebSocket server via HTTP. through that proxy to the WebSocket server via HTTP.
The resulting version of HTTP on that tunnel determines whether The resulting version of HTTP on that tunnel determines whether
WebSockets is initiated directly or via a modified CONNECT request WebSockets is initiated directly or via a modified CONNECT request
described in this document. described in this document.
8. Security Considerations 8. Security Considerations
[RFC6455] ensures that non-WebSockets clients, especially [RFC6455] ensures that non-WebSockets clients, especially
XMLHttpRequest based clients, cannot make a WebSocket connection. XMLHttpRequest based clients, cannot make a WebSocket connection.
Its primary mechanism for doing that is the use of Sec- prefixed Its primary mechanism for doing that is the use of Sec- prefixed
request headers that cannot be created by XMLHttpRequest-based request header fields that cannot be created by XMLHttpRequest-based
clients. This specification addresses that concern in two ways: clients. This specification addresses that concern in two ways:
o XMLHttpRequest also prohibits use of the CONNECT method in o XMLHttpRequest also prohibits use of the CONNECT method in
addition to Sec- prefixed request headers. addition to Sec- prefixed request header fields.
o The use of a pseudo-header is something that is connection o The use of a pseudo-header field is something that is connection
specific and HTTP/2 does not ever allow to be created outside of specific and HTTP/2 does not ever allow to be created outside of
the protocol stack. the protocol stack.
The security considerations of [RFC6455] section 10 continue to apply
to the use of the WebSocket Protocol when using this specification
with the exception of 10.8. That section is not relevant because it
is specific to the boostrapping handshake that is changed in this
document.
9. IANA Considerations 9. IANA Considerations
This document establishes an entry for the HTTP/2 Settings Registry This document establishes an entry for the HTTP/2 Settings Registry
that was established by Section 11.3 of [RFC7540]. that was established by Section 11.3 of [RFC7540].
Name: SETTINGS_ENABLE_CONNECT_PROTOCOL Name: SETTINGS_ENABLE_CONNECT_PROTOCOL
Code: 0x8 Code: 0x8
Initial Value: 0 Initial Value: 0
Specification: This document Specification: This document
10. References 10. Normative References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454,
DOI 10.17487/RFC6454, December 2011, DOI 10.17487/RFC6454, December 2011,
<https://www.rfc-editor.org/info/rfc6454>. <https://www.rfc-editor.org/info/rfc6454>.
skipping to change at page 8, line 15 skipping to change at page 8, line 15
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing", Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014, RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>. <https://www.rfc-editor.org/info/rfc7230>.
[RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
Transfer Protocol Version 2 (HTTP/2)", RFC 7540, Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
DOI 10.17487/RFC7540, May 2015, DOI 10.17487/RFC7540, May 2015,
<https://www.rfc-editor.org/info/rfc7540>. <https://www.rfc-editor.org/info/rfc7540>.
[RFC8164] Nottingham, M. and M. Thomson, "Opportunistic Security for
HTTP/2", RFC 8164, DOI 10.17487/RFC8164, May 2017,
<https://www.rfc-editor.org/info/rfc8164>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
10.2. URIs
[1] https://www.iana.org/assignments/http-upgrade-tokens/http-
upgrade-tokens.xhtml
Acknowledgments Acknowledgments
The 2017 HTTP Workshop had a very productive discussion that helped The 2017 HTTP Workshop had a very productive discussion that helped
determine the key problem and acceptable level of solution determine the key problem and acceptable level of solution
complexity. complexity.
Author's Address Author's Address
Patrick McManus Patrick McManus
Mozilla Mozilla
 End of changes. 28 change blocks. 
70 lines changed or deleted 78 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/