[giow] (1) Update WebSocket DOS protection to handle proxies.

git-svn-id: http://svn.whatwg.org/webapps@5170 340c8d12-0b0e-0410-8428-c7bf67bfef74

complete.html

@@ -209,7 +209,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG src=/images/logo></a></p>
    <hgroup><h1>Web Applications 1.0</h1>
-    <h2 class="no-num no-toc">Draft Standard &mdash; 16 July 2010</h2>
+    <h2 class="no-num no-toc">Draft Standard &mdash; 20 July 2010</h2>
    </hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
    <p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
    <!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
@@ -72815,9 +72815,21 @@ <h6 id=opening-handshake-0><span class=secno>10.3.4.3.1 </span>Opening handshake
     is no more than one connection at a time running through the
     following steps.</p>
 
+    <p>If the user agent cannot determine the IP address of the remote
+    host (for example because all communication is being done through
+    a proxy server that performs DNS queries itself), then the user
+    agent must assume for the purposes of this step that each host
+    name refers to a distinct remote host, but should instead limit
+    the total number of simultaneous connections that are not <a href=#websocket-connection-is-established title="WebSocket connection is established">established</a> to
+    a reasonably low number (e.g., in a Web browser, to the number of
+    tabs the user has open).</p>
+
     <p class=note>This makes it harder for a script to perform a
     denial of service attack by just opening a large number of
-    WebSocket connections to a remote host.</p>
+    WebSocket connections to a remote host. A server can further
+    reduce the load on itself when attacked by making use of this by
+    pausing before closing the connection, as that will reduce the
+    rate at which the client reconnects.</p>
 
     <p class=note>There is no limit to the number of <a href=#websocket-connection-is-established title="WebSocket connection is established">established</a>
     WebSocket connections a user agent can have with a single remote

source

@@ -81943,9 +81943,22 @@ Sec-WebSocket-Location: ws://example.com/</pre>
     is no more than one connection at a time running through the
     following steps.</p>
 
+    <p>If the user agent cannot determine the IP address of the remote
+    host (for example because all communication is being done through
+    a proxy server that performs DNS queries itself), then the user
+    agent must assume for the purposes of this step that each host
+    name refers to a distinct remote host, but should instead limit
+    the total number of simultaneous connections that are not <span
+    title="WebSocket connection is established">established</span> to
+    a reasonably low number (e.g., in a Web browser, to the number of
+    tabs the user has open).</p>
+
     <p class="note">This makes it harder for a script to perform a
     denial of service attack by just opening a large number of
-    WebSocket connections to a remote host.</p>
+    WebSocket connections to a remote host. A server can further
+    reduce the load on itself when attacked by making use of this by
+    pausing before closing the connection, as that will reduce the
+    rate at which the client reconnects.</p>
 
     <p class="note">There is no limit to the number of <span
     title="WebSocket connection is established">established</span>