WebSocket

WebSocket is a web technology providing for bi-directional, full-duplex communications channels, over a single Transmission Control Protocol (TCP) socket. The WebSocket API is being standardized by the W3C, and the WebSocket protocol has been standardized by the IETF as RFC 6455.^[1]

WebSocket is designed to be implemented in web browsers and web servers, but it can be used by any client or server application. Because ordinary TCP connections to port numbers other than 80 are frequently blocked by administrators outside of home environments, it can be used as a way to circumvent these restrictions and provide similar functionality with some additional protocol overhead while multiplexing several WebSocket services over a single TCP port. Additionally, it serves a purpose for web applications that require real-time bi-directional communication. Before the implementation of WebSocket, such bi-directional communication was only possible using comet channels; however, a comet is not trivial to implement reliably, and due to the TCP handshake and HTTP header overhead, it may be inefficient for small messages. The WebSocket protocol aims to solve these problems without compromising security assumptions of the web.

For web browser support, a secure version of the WebSocket protocol is implemented in Firefox 6 (named MozWebSocket)^[2], Google Chrome 14^[3] and Internet Explorer 10 developer preview^[4]. An older, less secure version of the protocol was implemented in Opera 11 and Safari 5, as well as the mobile version of Safari in iOS 4.2^[5]. Also, the BlackBerry Browser in OS7 supports WebSocket.^[6].

Although there are no known exploits, it was disabled in Firefox 4 and 5^[7], and has been disabled in Opera 11 until the new version of the protocol is implemented.^[8]

WebSocket protocol handshake

To establish a WebSocket connection, the client sends a WebSocket handshake request, and the server sends a WebSocket handshake response, as shown in the following example:

draft-ietf-hybi-thewebsocketprotocol-00

This is the older handshake mechanism; see below for newer versions.

Browser request to the server:

GET /demo HTTP/1.1
Upgrade: WebSocket
Connection: Upgrade
Host: example.com
Origin: http://example.com
Sec-WebSocket-Key1: 4 @1  46546xW%0l 1 5
Sec-WebSocket-Key2: 12998 5 Y3 1  .P00
 
^n:ds[4U

Server response:

HTTP/1.1 101 WebSocket Protocol Handshake
Upgrade: WebSocket
Connection: Upgrade
Sec-WebSocket-Origin: http://example.com
Sec-WebSocket-Location: ws://example.com/demo
Sec-WebSocket-Protocol: sample
 
8jKS'y:G*Co,Wxa-

The Sec-WebSocket-Key1 and Sec-WebSocket-Key2 fields and the 8 bytes after the fields are random tokens which the server uses to construct a 16-byte token at the end of its handshake to prove that it has read the client's handshake.

The handshake is constructed by concatenating the numbers from the first key, and dividing by the number of spaces. This is then repeated for the second key. The two resulting 32-bit numbers are concatenated with each other, and with the last 8 bytes after the fields. The final result is an MD5 sum of the concatenated 128-bit string.^[9]

The handshake looks like HTTP but actually isn't. It allows the server to interpret part of the handshake request as HTTP and then switch to WebSocket.

Once established, WebSocket data frames can be sent back and forth between the client and the server in full-duplex mode. Text frames can be sent full-duplex, in either direction at the same time. The data is minimally framed with just two bytes. Each frame starts with a 0x00 byte, ends with a 0xFF byte, and contains UTF-8 data in between. Binary frames are not supported yet in the API. WebSocket text frames use a terminator, while binary frames use a length prefix.

draft-ietf-hybi-thewebsocketprotocol-06

To establish a WebSocket connection, the client sends a WebSocket handshake request, and the server sends a WebSocket handshake response, as shown in the following example:

GET /ws HTTP/1.1
Host: pmx
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 6
Sec-WebSocket-Origin: http://pmx
Sec-WebSocket-Extensions: deflate-stream
Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==

Server response:(Server Architecture)

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=

The client sends a Sec-WebSocket-Key which is base64 encoded. To this key the magic string "258EAFA5-E914-47DA-95CA-C5AB0DC85B11" is appended, hashed with SHA-1 and then base64 encoded. Notice that the Sec-WebSocket-Key is base64 encoded but is not decoded by the server. The result is then replied in the header "Sec-WebSocket-Accept".

Sec-WebSocket-Key to Sec-WebSocket-Accept example :

• "x3JJHMbDL1EzLkh9GBhXDw==258EAFA5-E914-47DA-95CA-C5AB0DC85B11" string hashed by SHA-1 gives "1d29ab734b0c9585240069a6e4e3e91b61da1969" hexadecimal value.
• Unix command `printf "\x1d\x29\xab\x73\x4b\x0c\x95\x85\x24\x00\x69\xa6\xe4\xe3\xe9\x1b\x61\xda\x19\x69" | base64` prints "HSmrc0sMlYUkAGmm5OPpG2HaGWk="

Proxy traversal

WebSocket protocol client implementations try to detect if the user agent is configured to use a proxy when connecting to destination host and port and, if it is, uses HTTP CONNECT method to set up a persistent tunnel.

While the WebSocket protocol itself is unaware of proxy servers and firewalls, it features an HTTP-compatible handshake so that HTTP servers can share their default HTTP and HTTPS ports (80 and 443) with a WebSocket gateway or server. The WebSocket protocol defines a ws:// and wss:// prefix to indicate a WebSocket and a WebSocket Secure connection, respectively. Both schemes use an HTTP upgrade mechanism to upgrade to the WebSocket protocol. Some proxy servers are harmless and work fine with WebSocket; others will prevent WebSocket from working correctly, causing the connection to fail. In some cases additional proxy server configuration may be required, and certain proxy servers may need to be upgraded to support WebSocket.

If unencrypted WebSocket traffic flows through an explicit or a transparent proxy server on its way to the WebSocket server, then, whether or not the proxy server behaves as it should, the connection is almost certainly bound to fail today (as WebSocket become more mainstream, proxy servers may become WebSocket aware). Therefore, unencrypted WebSocket connections should be used only in the simplest topologies.^[10]

If an encrypted WebSocket connection is used, then the use of Transport Layer Security (TLS) in the WebSocket Secure connection ensures that an HTTP CONNECT command is issued when the browser is configured to use an explicit proxy server. This sets up a tunnel, which provides low-level end-to-end TCP communication through the HTTP proxy, between the WebSocket Secure client and the WebSocket server. In the case of transparent proxy servers, the browser is unaware of the proxy server, so no HTTP CONNECT is sent. However, since the wire traffic is encrypted, intermediate transparent proxy servers may simply allow the encrypted traffic through, so there is a much better chance that the WebSocket connection will succeed if WebSocket Secure is used. Using encryption is not free of resource cost, but often provides the highest success rate.

A mid-2010 draft (version hixie-76) broke compatibility with reverse-proxies and gateways by including 8 bytes of key data after the headers, but not advertising that data in a Content-Length: 8 header.^[11] This data was not forwarded by all intermediates, which could lead to protocol failure. More recent drafts (e.g., hybi-09^[12]) put the key data in a Sec-WebSocket-Key header, solving this problem.

URL scheme

The WebSocket protocol specification defines two new URI schemes, ws: and wss:,^[13] for unencrypted and encrypted connections respectively. Apart from the scheme name, the rest of the URI components are defined to use URI generic syntax.^[14]

Browser support

Chrome 16, Firefox 11 and Internet Explorer 10 are currently the only browsers supporting the latest specification (RFC 6455) of the WebSocket protocol. A detailed protocol test suite report^[15] lists the conformance of those browsers to specific protocol aspects.

Firefox 4^[16] and Opera 11^[17] originally supported the outdated draft-ietf-hybi-thewebsocketprotocol-00 WebSocket, but have since disabled the protocol by default due to security issues. Chrome also plans to disable the WebSocket if actual exploit code appears before the protocol is revised.^[18]

Implementation status

Protocol	Internet Explorer	Firefox[19]	Chrome	Safari	Opera
hixie-75			4	5.0.0
hixie-76 hybi-00		4.0 (disabled)	6	5.0.1	11.00 (disabled)
hybi-07		6[20]1
hybi-10		7[21]1	14[22]
RFC 6455	10 PP5	11	16[23]	Nightly

¹ Gecko-based browsers versions 6–10 implement the WebSocket object as "MozWebSocket",^[24] requiring extra code to integrate with existing WebSocket-enabled code.

Experimental extensions

There is also a command-line switch for Google Chrome (--enable-websocket-over-spdy) that enables an early experimental implementation of WebSocket over SPDY.^[25]

See also

• Comparison of WebSocket implementations
• XMLHttpRequest
• Push technology
• Comet
• Server-sent events
• BOSH

References

1. RFC 6455
2. Dirkjan Ochtman (May 27, 2011). "WebSocket enabled in Firefox 6". Mozilla.org. https://developer.mozilla.org/en/WebSockets. Retrieved 2011-06-30. 
3. "Chromium Web Platform Status". http://www.chromium.org/developers/web-platform-status. Retrieved 2011-08-03. 
4. "The WebSockets Prototype Gets Another Update". Blogs.msdn.com. 2011-06-22. http://blogs.msdn.com/b/interoperability/archive/2011/06/23/websockets-prototype-gets-another-update.aspx. Retrieved 2011-12-10. 
5. Katie Marsal (November 23, 2010). "Apple adds accelerometer, WebSockets support to Safari in iOS 4.2". AppleInsider.com. http://www.appleinsider.com/articles/10/11/23/apple_adds_accelerometer_websockets_support_to_safari_in_ios_4_2.html. Retrieved 2011-05-09. 
6. "Web Sockets API". RIM. http://docs.blackberry.com/en/developers/deliverables/29271/Web_Sockets_support_1582781_11.jsp. Retrieved 8 July 2011. 
7. Chris Heilmann (December 8, 2010). "WebSocket disabled in Firefox 4". Hacks.Mozilla.org. http://hacks.mozilla.org/2010/12/websockets-disabled-in-firefox-4/. Retrieved 2011-05-09. 
8. Aleksander Aas (December 10, 2010). "Regarding WebSocket". My Opera Blog. http://my.opera.com/chooseopera/blog/2010/12/10/regarding-websocket. Retrieved 2011-05-09. 
9. "The WebSocket protocol". August 16, 2010. http://www.whatwg.org/specs/web-socket-protocol/. Retrieved 2011-05-09. 
10. "How Web Sockets Interact With Proxy Servers". Infoq.com. http://www.infoq.com/articles/Web-Sockets-Proxy-Servers. Retrieved 2011-12-10. 
11. "WebSocket -76 is incompatible with HTTP reverse proxies". Ietf.org. 2010-07-06. http://www.ietf.org/mail-archive/web/hybi/current/msg02149.html. Retrieved 2011-12-10. 
12. "The WebSocket protocol, draft hybi-09". June 13, 2011. http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-09. Retrieved June 15, 2011. 
13. "IANA Uniform Resource Identifer (URI) Schemes". Iana.org. 2011-11-14. http://www.iana.org/assignments/uri-schemes.html. Retrieved 2011-12-10. 
14. "draft-hixie-thewebsocketprotocol-76 - The WebSocket protocol". Tools.ietf.org. http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol. Retrieved 2011-12-10. 
15. "WebSockets Protocol Test Report". Tavendo.de. 2011-10-27. http://www.tavendo.de/autobahn/testsuite/report/clients/index.html. Retrieved 2011-12-10. 
16. "How to enable WebSockets in Firefox". Developer.mozilla.org. 2011-09-30. https://developer.mozilla.org/en/WebSockets. Retrieved 2011-12-10. 
17. "Opera 11 release notes, with procedure to re-enable Web Sockets". My.opera.com. 2010-12-17. http://my.opera.com/ODIN/blog/2010/12/17/new-html5-features-in-opera-11. Retrieved 2011-12-10. 
18. Issue 5643005: Disable WebSocket by default^{[dead link]}
19. "WebSockets (support in Firefox)". Developer.mozilla.org. 2011-09-30. https://developer.mozilla.org/en/WebSockets. Retrieved 2011-12-10. 
20. "Bug 640003 - WebSockets - upgrade to ietf-06". Bugzilla.mozilla.org. https://bugzilla.mozilla.org/show_bug.cgi?id=640003. Retrieved 2011-12-10. 
21. WebSockets - upgrade to ietf-07>
22. "Chromium bug 64470". Code.google.com. 2010-11-25. http://code.google.com/p/chromium/issues/detail?id=64470. Retrieved 2011-12-10. 
23. "WebKit Changeset 97247: WebSocket: Update WebSocket protocol to hybi-17". Trac.webkit.org. http://trac.webkit.org/changeset/97249. Retrieved 2011-12-10. 
24. "WebSockets - MDN". Developer.mozilla.org. 2011-09-30. https://developer.mozilla.org/en/WebSockets. Retrieved 2011-12-10. 
25. "List of Chromium Command Line Switches". Peter.sh. http://peter.sh/experiments/chromium-command-line-switches/. Retrieved 2011-12-10. 

External links

• HLL Websocket Server Article linked to live demo and providing downloadable dhtml for running final draft protocols (submitted as standard).
• IETF Hypertext-Bidirectional (HyBi) working group
  • The WebSocket protocol - Internet-Draft published by the IETF HyBi Working Group
  • The WebSocket protocol - Original protocol proposal by Ian Hickson
• The WebSocket API - W3C draft specification of the API
• WebSocket.org - a commercially sponsored website dedicated to WebSocket
• WebSocketsTest.com - a website to test WebSockets support and operation in your browser.
• HTML5 Server-Push Technologies, Part 2 - explains WebSocket
• Websockets in HTML5 - Easy to understand read on WebSocket
• HTML5 WebSockets: An example with jetty and chrome - A complete example on WebSocket with jetty.
• Web Socket API in BlackBerry Browser with OS7