WebSocket is a protocol providing full-duplex communication channels over a single TCP connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011, and the WebSocket API in Web IDL is being standardized by the W3C.
WebSocket is designed to be implemented in web browsers and web servers, but it can be used by any client or server application. The WebSocket Protocol is an independent TCP-based protocol. Its only relationship to HTTP is that its handshake is interpreted by HTTP servers as an Upgrade request. The WebSocket protocol makes more interaction between a browser and a website possible, facilitating live content and the creation of real-time games. This is made possible by providing a standardized way for the server to send content to the browser without being solicited by the client, and allowing for messages to be passed back and forth while keeping the connection open. In this way a two-way (bi-directional) ongoing conversation can take place between a browser and the server. A similar effect has been achieved in non-standardized ways using stop-gap technologies such as Comet.
In addition, the communications are done over TCP port number 80, which is of benefit for those environments which block non-web Internet connections using a firewall. The WebSocket protocol is currently supported in most major browsers including Google Chrome, Internet Explorer, Firefox, Safari and Opera. WebSocket also requires web applications on the server to support it.
Unlike HTTP, WebSocket provides full-duplex communication. Additionally, WebSocket enables streams of messages on top of TCP. TCP alone deals with streams of bytes with no inherent concept of a message. Before WebSocket, port 80 full-duplex communication was attainable using Comet channels; however, Comet implementation is nontrivial, and due to the TCP handshake and HTTP header overhead, it is inefficient for small messages. WebSocket protocol aims to solve these problems without compromising security assumptions of the web.
An older, less secure version of the protocol was implemented in Opera 11 and Safari 5, as well as the mobile version of Safari in iOS 4.2. The BlackBerry Browser in OS7 implements WebSockets. Because of vulnerabilities, it was disabled in Firefox 4 and 5, and Opera 11.
WebSocket protocol handshake
To establish a WebSocket connection, the client sends a WebSocket handshake request, for which the server returns a WebSocket handshake response, as shown in the following example:
GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw== Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 Origin: http://example.com
HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk= Sec-WebSocket-Protocol: chat
The handshake resembles HTTP so that servers can handle HTTP connections as well as WebSocket connections on the same port. However the specific fields involved, and what follows after the handshake, do not conform to the HTTP protocol.
Note that each line ends with an EOL (end of line) sequence,
\r\n. There must be an extra blank line at the end.
The client sends a
Sec-WebSocket-Key which is a random value that has been base64 encoded. To form a response, the GUID
258EAFA5-E914-47DA-95CA-C5AB0DC85B11 is appended to this base64 encoded key. The base64 encoded key will not be decoded first. The resulting string is then hashed with SHA-1, then base64 encoded. Finally, the resulting reply occurs in the header
Once the connection is established, the client and server can send WebSocket data or text frames back and forth in full-duplex mode. The data is minimally framed, with a small header followed by payload. WebSocket transmissions are described as "messages", where a single message can optionally be split across several data frames. This can allow for sending of messages where initial data is available but the complete length of the message is unknown (it sends one data frame after another until the end is reached and marked with the FIN bit). With extensions to the protocol, this can also be used for multiplexing several streams simultaneously (for instance to avoid monopolizing use of a socket for a single large payload).
It is important (from a security perspective) to validate the "Origin" header during the connection establishment process on the serverside (against the expected origins) to avoid Cross-Site WebSocket Hijacking attacks, which might be possible when the connection is authenticated with Cookies or HTTP authentication. It is better to use tokens or similar protection mechanisms to authenticate the WebSocket connection when sensitive (private) data is being transferred over the WebSocket.
WebSocket protocol client implementations try to detect if the user agent is configured to use a proxy when connecting to destination host and port and, if it is, uses HTTP CONNECT method to set up a persistent tunnel.
While the WebSocket protocol itself is unaware of proxy servers and firewalls, it features an HTTP-compatible handshake so that HTTP servers can share their default HTTP and HTTPS ports (80 and 443) with a WebSocket gateway or server. The WebSocket protocol defines a ws:// and wss:// prefix to indicate a WebSocket and a WebSocket Secure connection, respectively. Both schemes use an HTTP upgrade mechanism to upgrade to the WebSocket protocol. Some proxy servers are transparent and work fine with WebSocket; others will prevent WebSocket from working correctly, causing the connection to fail. In some cases, additional proxy server configuration may be required, and certain proxy servers may need to be upgraded to support WebSocket.
If unencrypted WebSocket traffic flows through an explicit or a transparent proxy server on its way to the WebSocket server, then, whether or not the proxy server behaves as it should, the connection is almost certainly bound to fail today (as WebSocket becomes more mainstream, proxy servers may become WebSocket aware). Therefore, unencrypted WebSocket connections should be used only in the simplest topologies.
If an encrypted WebSocket connection is used, then the use of Transport Layer Security (TLS) in the WebSocket Secure connection ensures that an HTTP CONNECT command is issued when the browser is configured to use an explicit proxy server. This sets up a tunnel, which provides low-level end-to-end TCP communication through the HTTP proxy, between the WebSocket Secure client and the WebSocket server. In the case of transparent proxy servers, the browser is unaware of the proxy server, so no HTTP CONNECT is sent. However, since the wire traffic is encrypted, intermediate transparent proxy servers may simply allow the encrypted traffic through, so there is a much better chance that the WebSocket connection will succeed if WebSocket Secure is used. Using encryption is not free of resource cost, but often provides the highest success rate since it would be travelling through a secure tunnel.
A mid-2010 draft(version hixie-76) broke compatibility with reverse-proxies and gateways by including 8 bytes of key data after the headers, but not advertising that data in a
Content-Length: 8 header. This data was not forwarded by all intermediates, which could lead to protocol failure. More recent drafts (e.g., hybi-09) put the key data in a
Sec-WebSocket-Key header, solving this problem.
The WebSocket protocol specification defines two new URI schemes, ws: and wss:, for unencrypted and encrypted connections respectively. Apart from the scheme name and fragment (# is not supported), the rest of the URI components are defined to use URI generic syntax.
All the latest browsers support the latest specification (RFC 6455) of the WebSocket protocol. A detailed protocol test suite report lists the conformance of those browsers to specific protocol aspects.
|Protocol||Draft date||Internet Explorer||Firefox (PC)||Firefox (Android)||Chrome (PC, Mobile)||Safari (Mac, iOS)||Opera (PC, Mobile)||Android Browser|
|hixie-75||February 4, 2010||4||5.0.0|
|May 6, 2010
May 23, 2010
|4.0 (disabled)||6||5.0.1||11.00 (disabled)|
|7 hybi-07||April 22, 2011||61|
|8 hybi-10||July 11, 2011||71||7||14|
|13 RFC 6455||December, 2011||10||11||11||16||6||12.10||4.4|
1 Gecko-based browsers versions 6–10 implement the WebSocket object as "MozWebSocket", requiring extra code to integrate with existing WebSocket-enabled code.
Using the Google Chrome Developer Tools, developers can inspect the WebSocket handshake as well as the WebSocket frames.
- Ian Fette; Alexey Melnikov (December 2011). "Relationship to TCP and HTTP". RFC 6455 The WebSocket Protocol. IETF. sec. 1.7. RFC 6455. https://tools.ietf.org/html/rfc6455#section-1.7.
- "Glossary:WebSockets". Mozilla Developer Network. 2015.
- Dirkjan Ochtman (May 27, 2011). "WebSocket enabled in Firefox 6". Mozilla.org. Retrieved 2011-06-30.
- "Chromium Web Platform Status". Retrieved 2011-08-03.
- "WebSockets (Windows)". Microsoft. 2012-09-28. Retrieved 2012-11-07.
- Katie Marsal (November 23, 2010). "Apple adds accelerometer, WebSockets support to Safari in iOS 4.2". AppleInsider.com. Retrieved 2011-05-09.
- "Web Sockets API". BlackBerry. Retrieved 8 July 2011.
- Chris Heilmann (December 8, 2010). "WebSocket disabled in Firefox 4". Hacks.Mozilla.org. Retrieved 2011-05-09.
- Aleksander Aas (December 10, 2010). "Regarding WebSocket". My Opera Blog. Archived from the original on 2010-12-15. Retrieved 2011-05-09.
- Ian Fette; Alexey Melnikov (December 2011). "Protocol Overview". RFC 6455 The WebSocket Protocol. IETF. sec. 1.2. RFC 6455. https://tools.ietf.org/html/rfc6455#section-1.2.
- Ian Fette; Alexey Melnikov (December 2011). "Opening Handshake". RFC 6455 The WebSocket Protocol. IETF. p. 8. sec. 1.3. RFC 6455. https://tools.ietf.org/html/rfc6455#section-1.3.
- Christian Schneider (August 31, 2013). "Cross-Site WebSocket Hijacking (CSWSH)". Web Application Security Blog.
- Peter Lubbers (March 16, 2010). "How Web Sockets Interact With Proxy Servers". InfoQ.com. C4Media Inc. Retrieved 2011-12-10.
- Willy Tarreau (2010-07-06). "WebSocket -76 is incompatible with HTTP reverse proxies". ietf.org (email). Internet Engineering Task Force. Retrieved 2011-12-10.
- Ian Fette (June 13, 2011). "Sec-WebSocket-Key". The WebSocket protocol, draft hybi-09. sec. 11.4. http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-09#section-11.4#section-11.4. Retrieved June 15, 2011.
- Graham Klyne, ed. (2011-11-14). "IANA Uniform Resource Identifer (URI) Schemes". Internet Assigned Numbers Authority. Retrieved 2011-12-10.
- Ian Fette; Alexey Melnikov (December 2011). "WebSocket URIs". RFC 6455 The WebSocket Protocol. IETF. sec. 3. RFC 6455. https://tools.ietf.org/html/rfc6455#section-3.
- "WebSockets Protocol Test Report". Tavendo.de. 2011-10-27. Retrieved 2011-12-10.
- "WebSockets (support in Firefox)". developer.mozilla.org. Mozilla Foundation. 2011-09-30. Retrieved 2011-12-10.
- "Bug 640003 - WebSockets - upgrade to ietf-06". Mozilla Foundation. 2011-03-08. Retrieved 2011-12-10.
- "Bug 640003 - WebSockets - upgrade to ietf-07(comment 91)". Mozilla Foundation. 2011-07-22.
- "Chromium bug 64470". code.google.com. Google. 2010-11-25. Retrieved 2011-12-10.
- "WebSockets in Windows Consumer Preview". IE Engineering Team. Microsoft. 2012-03-19. Retrieved 2012-07-23.
- "WebKit Changeset 97247: WebSocket: Update WebSocket protocol to hybi-17". trac.webkit.org. Retrieved 2011-12-10.
- "A hot Opera 12.50 summer-time snapshot". Opera Developer News. 2012-08-03. Archived from the original on 2012-08-05. Retrieved 2012-08-03.
- "WebSockets - MDN". developer.mozilla.org. Mozilla Foundation. 2011-09-30. Retrieved 2011-12-10.
- Peter Beverloo. "List of Chromium Command Line Switches". peter.sh. Retrieved 2011-12-10.
- Wang, Vanessa; Salim, Frank; Moskovits, Peter (February 2013). "APPENDIX A: WebSocket Frame Inspection with Google Chrome Developer Tools". The Definitive Guide to HTML5 WebSocket. Apress. ISBN 978-1-4302-4740-1. Retrieved 7 April 2013.
- IETF Hypertext-Bidirectional (HyBi) working group
- The WebSocket API - W3C Working Draft specification of the API
- The WebSocket API - W3C Candidate Recommendation specification of the API