diff --git a/fetch.bs b/fetch.bs index 4332463b2..a34356e87 100644 --- a/fetch.bs +++ b/fetch.bs @@ -39,11 +39,6 @@ urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262 url:sec-list-and-record-specification-type;text:Record -
-spec:websockets; type:interface; text:WebSocket -spec:websockets; type:attribute; text:bufferedAmount; for:WebSocket --
{ "HTTP": { @@ -169,7 +164,7 @@ exposes most of the networking functionality at a fairly low level of abstractioThis specification depends on the Infra Standard. [[!INFRA]]
This specification uses terminology from the ABNF, Encoding, HTML, HTTP, IDL, MIME Sniffing, -Streams, and URL Standards. +Streams, URL, and WebSockets Standards. [[!ABNF]] [[!ENCODING]] [[!HTML]] @@ -178,6 +173,7 @@ Streams, and URL Standards. [[!MIMESNIFF]] [[!STREAMS]] [[!URL]] +[[!WEBSOCKETS]]
ABNF means ABNF as augmented by HTTP (in particular the addition of
#
) and RFC 7405. [[!RFC7405]] @@ -805,8 +801,8 @@ A: 3
Otherwise, append (name, value) to list. -
Combine is used by {{XMLHttpRequest}} and the -WebSocket protocol handshake. +
Combine is used by {{XMLHttpRequest}} and the +WebSocket protocol handshake.
To convert header names to a sorted-lowercase set, given a list of names headerNames, run these steps: @@ -1804,8 +1800,8 @@ to not have to set request's referrer.
websocket
"
- Even though the default request mode is "no-cors
",
@@ -8005,150 +8001,6 @@ fetch("https://www.example.com/")
-
This section replaces part of the WebSocket protocol opening handshake client requirement to - integrate it with algorithms defined in Fetch. This way CSP, cookies, HSTS, and other Fetch-related - protocols are handled in a single location. Ideally the RFC would be updated with this language, - but it is never that easy. The WebSocket API, defined in the HTML Standard, has been updated to use - this language. [[!WSP]] [[!HTML]] - -
The way this works is by replacing The WebSocket Protocol's "establish a WebSocket connection" - algorithm with a new one that integrates with Fetch. "Establish a WebSocket connection" consists of - three algorithms: setting up a connection, creating and transmiting a handshake request, and - validating the handshake response. That layering is different from Fetch, which first creates a - handshake, then sets up a connection and transmits the handshake, and finally validates the - response. Keep that in mind while reading these alterations. -
To obtain a WebSocket connection, given a -url, run these steps: - -
Let host be url's host. - -
Let port be url's port. - -
Let secure be false, if url's scheme is
- "http
", and true otherwise.
-
-
Follow the requirements stated in step 2 to 5, inclusive, of the first set of steps in - section 4.1 of The WebSocket - Protocol to establish a WebSocket connection. [[!WSP]] - -
If that established a connection, return it, and return failure otherwise. -
Although structured a little differently, carrying different properties, and -therefore not shareable, a WebSocket connection is very close to identical to an "ordinary" -connection. - - -
To establish a WebSocket connection, given a -url, protocols, and client, run these steps: - -
Let requestURL be a copy of url, with its
- scheme set to
- "http
", if url's
- scheme is "ws
", and
- to "https
" otherwise.
-
-
This change of scheme is essential to integrate well with - fetching. E.g., HSTS would not work without it. There is no real - reason for WebSocket to have distinct schemes, it's a legacy artefact. - [[!HSTS]] - -
Let request be a new request, whose
- URL is requestURL,
- client is client,
- service-workers mode is "none
",
- referrer is "no-referrer
",
- mode is "websocket
",
- credentials mode is
- "include
",
- cache mode is "no-store
", and
- redirect mode is "error
".
-
-
Append (`Upgrade
`, `websocket
`) to
- request's header list.
-
-
Append (`Connection
`, `Upgrade
`) to
- request's header list.
-
-
Let keyValue be a nonce consisting of a randomly selected 16-byte value that has - been forgiving-base64-encoded and isomorphic encoded. - -
If the randomly selected value was the byte sequence 0x01 0x02 0x03 0x04 0x05
- 0x06 0x07 0x08 0x09 0x0a 0x0b 0x0c 0x0d 0x0e 0x0f 0x10, keyValue would be
- forgiving-base64-encoded to "AQIDBAUGBwgJCgsMDQ4PEC==
" and isomorphic encoded
- to `AQIDBAUGBwgJCgsMDQ4PEC==
`.
-
-
Append (`Sec-WebSocket-Key
`, keyValue) to
- request's header list.
-
-
Append (`Sec-WebSocket-Version
`, `13
`) to
- request's header list.
-
-
For each protocol in protocols, combine
- (`Sec-WebSocket-Protocol
`, protocol) in request's
- header list.
-
-
Let permessageDeflate be a user-agent defined
- "permessage-deflate
" extension header value. [[!WSP]]
-
-
`permessage-deflate; client_max_window_bits
`
-
-
Append (`Sec-WebSocket-Extensions
`,
- permessageDeflate) to request's header list.
-
-
Fetch request with useParallelQueue - set to true, and processResponse given response being these - steps: - -
If response is a network error or its status is not - 101, fail the WebSocket connection. - -
If protocols is not the empty list and extracting header list values given
- `Sec-WebSocket-Protocol
` and response's header list
- results in null, failure, or the empty byte sequence, then fail the WebSocket connection.
-
-
This is different from the check on this header defined by The WebSocket Protocol. - That only covers a subprotocol not requested by the client. This covers a subprotocol requested - by the client, but not acknowledged by the server. - -
Follow the requirements stated step 2 to step 6, inclusive, of the last set of steps in - section 4.1 of The - WebSocket Protocol to validate response. This either results in - fail the WebSocket connection or the WebSocket connection is established. -
Fail the WebSocket connection and the WebSocket connection is established -are defined by The WebSocket Protocol. [[!WSP]] - -
The reason redirects are not followed and this handshake is generally restricted is -because it could introduce serious security problems in a web browser context. For example, consider -a host with a WebSocket server at one path and an open HTTP redirector at another. Suddenly, any -script that can be given a particular WebSocket URL can be tricked into communicating to (and -potentially sharing secrets with) any host on the internet, even if the script checks that the URL -has the right hostname. - - - -
data:
URLsFor an informative description of data:
URLs, see RFC 2397. This section replaces
@@ -8316,6 +8168,15 @@ resource — for non-CORS requests as well as CORS
requests — and do not use `Vary
`.
+
Fetch used to define obtain a WebSocket connection, +establish a WebSocket connection, +fail the WebSocket connection, and +the WebSocket connection is established, all of which are now defined in +WebSockets. [[!WEBSOCKETS]] + +