什么是Sec-WebSocket-Key?

draft-ietf-hybi-thewebsocketprotocol-17的1.3节“打开握手”中,描述Sec-WebSocket-Key如下:

To prove that the handshake was received, the server has to take two pieces of information and combine them to form a response. The first piece of information comes from the |Sec-WebSocket-Key| header field in the client handshake:

06000

For this header field, the server has to take the value (as present in the header field, e.g. the base64-encoded [RFC4648] version minus any leading and trailing whitespace), and concatenate this with the Globally Unique Identifier (GUID, [RFC4122]) “258EAFA5-E914-47DA-95CA-C5AB0DC85B11” in string form, which is unlikely to be used by network endpoints that do not understand the WebSocket protocol. A SHA-1 hash (160 bits), base64-encoded (see Section 4 of [RFC4648]), of this concatenation is then returned in the server’s handshake [FIPS.180-2.2002].

这是我不明白的东西:为什么不简单地返回代码101?如果正确使用Sec-WebSocket-Key是为了安全的,或者证明他们可以处理websocket请求,那么如果任何服务器想要,并假装它们是WebSocket服务器,任何服务器都可以返回预期的密钥。

根据RFC 6455的Websocket标准

first part

.. the server has to prove to the client that it received the
client's WebSocket handshake, so that the server doesn't accept
connections that are not WebSocket connections.  This prevents an
attacker from tricking a WebSocket server by sending it carefully
crafted packets using XMLHttpRequest [XMLHttpRequest] or a form
submission.

...
For this header field, the server has to take the value (as present
in the header field, e.g., the base64-encoded [RFC4648] version minus
any leading and trailing whitespace) and concatenate this with the
Globally Unique Identifier (GUID, [RFC4122]) "258EAFA5-E914-47DA-
95CA-C5AB0DC85B11" in string form, which is unlikely to be used by
network endpoints that do not understand the WebSocket Protocol.

second part

The |Sec-WebSocket-Key| header field is used in the WebSocket opening
handshake.  It is sent from the client to the server to provide part
of the information used by the server to prove that it received a
valid WebSocket opening handshake.  This helps ensure that the server
does not accept connections from non-WebSocket clients (e.g., HTTP
clients) that are being abused to send data to unsuspecting WebSocket
servers.

所以,由于在标准中指定了GUID的值,因此不了解Websockets的服务器将不可能使用它。它不提供任何安全性(安全的websockets – wss:// – ),它只是确保服务器了解websockets协议。

真的,如你所提到的,如果你知道websockets(这是什么要检查),你可以假装成为一个websocket服务器发送正确的响应。但是,如果您不能正确地执行操作(例如正确的表单框架),那么它将被视为违反协议。其实你可以编写一个不正确的websocket服务器,但是没有太多的用处。

另一个目的是防止客户端意外地请求websockets升级,而不是期待它(例如,通过手动添加相应的头,然后期待smth else)。 Sec-WebSocket-Key和其他相关头文件禁止在浏览器中使用setRequestHeader方法进行设置。

http://stackoverflow.com/questions/18265128/what-is-sec-websocket-key-for

本站文章除注明转载外,均为本站原创或编译
转载请明显位置注明出处:什么是Sec-WebSocket-Key?