WebSocket is a technology providing for bi-directional, full-duplex communications channels, over a single Transmission Control Protocol
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
In computer networking, an Internet socket or network socket is an endpoint of a bidirectional inter-process communication flow across an Internet Protocol-based computer network, such as the Internet....
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
s, but it can be used by any client or server application. The WebSocket API
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
The World Wide Web Consortium is the main international standards organization for the World Wide Web .Founded and headed by Tim Berners-Lee, the consortium is made up of member organizations which maintain full-time staff for the purpose of working together in the development of standards for the...
, and the WebSocket protocol has been standardized by the IETF
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...
6455. Because ordinary TCP connections to port numbers other than 80 are frequently blocked by administrators outside of home environments, it can be used as a way to overcome these restrictions and provide similar functionality with some additional protocol overhead
Protocol overhead
Protocol overhead refers to metadata and network routing information sent by an application, which uses a portion of the available bandwidth of a communications protocol...
while multiplexing several WebSocket services over a single TCP port.
For the client side, WebSocket was implemented in Firefox 4, Google Chrome
Google Chrome
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
Opera is a web browser and Internet suite developed by Opera Software with over 200 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, chatting on IRC, downloading files via BitTorrent,...
Safari is a web browser developed by Apple Inc. and included with the Mac OS X and iOS operating systems. First released as a public beta on January 7, 2003 on the company's Mac OS X operating system, it became Apple's default browser beginning with Mac OS X v10.3 "Panther". Safari is also the...
5, as well as the mobile version of Safari in iOS 4.2. Also, the BlackBerry Browser in OS7 supports WebSocket. However, although present, support was disabled by default in Firefox 4 and 5 and Opera 11 because of concerns over security vulnerabilities. The new -07 version of the WebSocket protocol, which fixes the protocol bug, is implemented and enabled by default in Firefox 6 and in Chrome 14.
There is also a command line switch for Google Chrome (--enable-websocket-over-spdy) that enables an early experimental implementation of WebSocket over SPDY
SPDY
SPDY is a networking protocol for transporting web content developed by Google and used in accessing Google web services from their browser Google Chrome. Google promotes the protocol in the open-source project Chromium to augment the Hypertext Transfer Protocol protocol, achieving higher...
.
WebSocket Protocol Handshake
To establish a WebSocket connection, the client sends a WebSocket handshake request, and the server sends a WebSocket handshake response, as shown in the following example:
draft-ietf-hybi-thewebsocketprotocol-00
This is the older handshake mechanism; see below for newer versions.
Browser request to the server:
GET /demo HTTP/1.1
Upgrade: WebSocket
Connection: Upgrade
Host: example.com
Origin: http://example.com
Sec-WebSocket-Key1: 4 @1 46546xW%0l 1 5
Sec-WebSocket-Key2: 12998 5 Y3 1 .P00
The Sec-WebSocket-Key1 and Sec-WebSocket-Key2 fields and the 8 bytes after the fields are random tokens which the server uses to construct a 16-byte token at the end of its handshake to prove that it has read the client's handshake.
The handshake is constructed by concatenating the numbers from the first key, and dividing by the number of spaces. This is then repeated for the second key. The two resulting numbers are concatenated with each other, and with the last 8 bytes after the fields. The final result is an MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
sum of the concatenated string.
The handshake looks like HTTP but actually isn't. It allows the server to interpret part of the handshake request as HTTP and then switch to WebSocket.
Once established, WebSocket data frames can be sent back and forth between the client and the server in full-duplex mode. Text frames can be sent full-duplex
Duplex (telecommunications)
A duplex communication system is a system composed of two connected parties or devices that can communicate with one another in both directions. The term multiplexing is used when describing communication between more than two parties or devices....
, in either direction at the same time. The data is minimally framed with just two bytes. Each frame starts with a 0x00 byte, ends with a 0xFF byte, and contains UTF-8 data in between. Binary frames are not supported yet in the API. WebSocket text frames use a terminator, while binary frames use a length prefix.
draft-ietf-hybi-thewebsocketprotocol-06
To establish a WebSocket connection, the client sends a WebSocket handshake request, and the server sends a WebSocket handshake response, as shown in the following example:
GET /ws HTTP/1.1
Host: pmx
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 6
Sec-WebSocket-Origin: http://pmx
Sec-WebSocket-Extensions: deflate-stream
Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw
The client sends a Sec-WebSocket-Key which is base64 encoded. To this key the magic string "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"
is appended, hashed with SHA1 and then base64 encoded. Notice that the Sec-WebSocket-Key is base64 encoded but is not decoded by the server. The result is then replied in the header "Sec-WebSocket-Accept".
Sec-WebSocket-Key to Sec-WebSocket-Accept example :
"x3JJHMbDL1EzLkh9GBhXDw258EAFA5-E914-47DA-95CA-C5AB0DC85B11" string hashed by SHA1 gives "1d29ab734b0c9585240069a6e4e3e91b61da1969" hexadecimal value.
Unix command `printf "\x1d\x29\xab\x73\x4b\x0c\x95\x85\x24\x00\x69\xa6\xe4\xe3\xe9\x1b\x61\xda\x19\x69" | base64` prints "HSmrc0sMlYUkAGmm5OPpG2HaGWk="
Proxy traversal
WebSocket protocol client implementations try to detect if the user agent
User agent
In computing, a user agent is a client application implementing a network protocol used in communications within a client–server distributed computing system...
is configured to use a proxy when connecting to destination host and port and, if it is, uses HTTP CONNECT method to set up a persistent tunnel.
While the WebSocket protocol itself is unaware of proxy servers and firewalls, it features an HTTP-compatible handshake so that HTTP servers can share their default HTTP and HTTPS ports (80 and 443) with a WebSocket gateway or server. The WebSocket protocol defines a ws:// and wss:// prefix to indicate a WebSocket and a WebSocket Secure connection, respectively. Both schemes use an HTTP upgrade mechanism to upgrade to the WebSocket protocol. Some proxy servers are harmless and work fine with WebSocket; others will prevent WebSocket from working correctly, causing the connection to fail. In some cases additional proxy server configuration may be required, and certain proxy servers may need to be upgraded to support WebSocket.
If unencrypted WebSocket traffic flows through an explicit or a transparent proxy server on its way to the WebSocket server, then, whether or not the proxy server behaves as it should, the connection is almost certainly bound to fail today (as WebSocket become more mainstream, proxy servers may become WebSocket aware). Therefore, unencrypted WebSocket connections should be used only in the simplest topologies.
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
(TLS) in the WebSocket Secure connection ensures that an HTTP CONNECT command is issued when the browser is configured to use an explicit proxy server. This sets up a tunnel, which provides low-level end-to-end TCP communication through the HTTP proxy, between the WebSocket Secure client and the WebSocket server. In the case of transparent proxy servers, the browser is unaware of the proxy server, so no HTTP CONNECT is sent. However, since the wire traffic is encrypted, intermediate transparent proxy servers may simply allow the encrypted traffic through, so there is a much better chance that the WebSocket connection will succeed if WebSocket Secure is used. Using encryption is not free of resource cost, but often provides the highest success rate.
A mid-2010 draft (version hixie-76) broke compatibility with reverse-proxies and gateways by including 8 bytes of key data after the headers, but not advertising that data in a Content-Length: 8 header. This data was not forwarded by all intermediates, which could lead to protocol failure. More recent drafts (e.g., hybi-09) put the key data in a Sec-WebSocket-Key header, solving this problem.
URL scheme
The WebSocket protocol specification defines two new URI
Úri
Úriis a village and commune in the comitatus of Pest in Hungary....
schemes, ws: and wss:, for unencrypted and encrypted connections respectively. Apart from the scheme name, the rest of the URI components are defined to use URI generic syntax.
Browser support
Chrome 14, Firefox 7 and Internet Explorer 10 are currently the only browsers supporting the latest draft specification ("hybi-10") of the WebSocket protocol. A detailed protocol test suite report lists the conformance of those browsers to specific protocol aspects.
Firefox 4 and Opera 11 originally supported the outdated draft-ietf-hybi-thewebsocketprotocol-00 WebSocket, but have since disabled the protocol by default due to security issues. Chrome also plans to disable the WebSocket if actual exploit code appears before the protocol is revised.
Current versions of Microsoft's Internet Explorer support the draft-ietf-hybi-thewebsocketprotocol-09 through a prototype, HTML5 Labs.
1 Gecko-based browsers versions 6, 7 and 8-beta implement the WebSocket object as "MozWebSocket", requiring extra code to integrate with existing WebSocket-enabled code.
- Rationale :The WebSocket protocol is implemented in different browsers, run-time environments and libraries acting as clients or servers. The intention of this comparison is to show different features of WebSocket implementations to help developers and users making informed decisions regarding...
XMLHttpRequest is an API available in web browser scripting languages such as JavaScript. It is used to send HTTP or HTTPS requests directly to a web server and load the server response data directly back into the script. The data might be received from the server as XML text or as plain text...
Push technology, or server push, describes a style of Internet-based communication where the request for a given transaction is initiated by the publisher or central server...
Comet is a web application model in which a long-held HTTP request allows a web server to push data to a browser, without the browser explicitly requesting it. Comet is an umbrella term, encompassing multiple techniques for achieving this interaction. All these methods rely on features included by...
Server-sent events is a technology for providing push notifications from a server to a browser client in the form of DOM events. The Server-Sent Events EventSource API is now being standardized as part of HTML5 by the W3C.-History:...
Bidirectional-streams Over Synchronous HTTP is a transport protocol that emulates a bidirectional stream between two entities by using multiple synchronous HTTP request/response pairs without requiring the use of polling or asynchronous chunking.It is a draft standard of the XMPP Standards...
Ian 'Hixie' Hickson is the author and maintainer of the Acid2 and Acid3 tests, and the Web Applications 1.0/HTML 5 specification., Sean Michael Kerner, internetnews.com, January 25, 2008 He is known as a proponent of web standards, and has played a crucial role in the development of specifications...
External links
HLL Websocket Server Article linked to live demo and providing downloadable dhtml for running final draft protocols (submitted as standard).
