[e] (0) remove obsolete warning

git-svn-id: http://svn.whatwg.org/webapps@5045 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Apr 14, 2010 · 36f51a5 · 36f51a5
1 parent 564f4b4
commit 36f51a5
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 32 deletions.
diff --git a/complete.html b/complete.html
@@ -70764,22 +70764,6 @@ <h6 id="reading-the-client's-opening-handshake"><span class=secno>10.3.4.4.1 </s
     purposes. Their semantics are equivalent to the semantics of the
     HTTP headers with the same names.</p>
 
-    <p class=warning>If a server reads fields for authentication
-    purposes (such as <code title="">Cookie</code>), or if a server
-    assumes that its clients are authorized on the basis that they can
-    connect (e.g. because they are on an intranet firewalled from the
-    public Internet), then the server should also verify that the
-    client's handshake includes the invariant "Upgrade" and
-    "Connection" parts of the handshake, and should send the server's
-    handshake before changing any user data. Otherwise, an attacker
-    could trick a client into sending WebSocket frames to a server
-    (e.g. using <code>XMLHttpRequest</code>) and cause the server to
-    perform actions on behalf of the user without the user's
-    consent. (Sending the server's handshake ensures that the frames
-    were not sent as part of a cross-protocol attack, since other
-    protocols do not send the necessary components in the client's
-    initial handshake for forming the server's handshake.)</p>
-
    </dd>
 
   </dl><p>Unrecognized fields can be safely ignored, and are probably

diff --git a/source b/source
@@ -79412,22 +79412,6 @@ multi-origin semantics described in [ORIGIN] applying. (http-origin)
     purposes. Their semantics are equivalent to the semantics of the
     HTTP headers with the same names.</p>
 
-    <p class="warning">If a server reads fields for authentication
-    purposes (such as <code title="">Cookie</code>), or if a server
-    assumes that its clients are authorized on the basis that they can
-    connect (e.g. because they are on an intranet firewalled from the
-    public Internet), then the server should also verify that the
-    client's handshake includes the invariant "Upgrade" and
-    "Connection" parts of the handshake, and should send the server's
-    handshake before changing any user data. Otherwise, an attacker
-    could trick a client into sending WebSocket frames to a server
-    (e.g. using <code>XMLHttpRequest</code>) and cause the server to
-    perform actions on behalf of the user without the user's
-    consent. (Sending the server's handshake ensures that the frames
-    were not sent as part of a cross-protocol attack, since other
-    protocols do not send the necessary components in the client's
-    initial handshake for forming the server's handshake.)</p>
-
    </dd>
 
   </dl>