Sec-WebSocket-Key 有什么用? [英] What is Sec-WebSocket-Key for?
问题描述
在 draft-ietf-hybi-的第 1.3 节打开握手"中websocketprotocol-17,它描述了Sec-WebSocket-Key如下:
为了证明握手已收到,服务器必须获取两条信息并将它们组合起来形成响应.第一条信息来自|Sec-WebSocket-Key|客户端握手中的标头字段:
To prove that the handshake was received, the server has to take two pieces of information and combine them to form a response. The first piece of information comes from the |Sec-WebSocket-Key| header field in the client handshake:
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
对于这个头域,服务器必须取值(在头域中存在,例如 base64 编码的 [RFC4648] 版本减去任何前导和尾随空格),并将其与全局唯一标识符 (GUID) 连接起来, [RFC4122]) "258EAFA5-E914-47DA-95CA-C5AB0DC85B11" 字符串形式,不太可能被不理解 WebSocket 协议的网络端点使用.然后在服务器的握手 [FIPS.180-2.2002] 中返回此连接的 SHA-1 哈希(160 位)、base64 编码(参见 [RFC4648] 的第 4 节).
For this header field, the server has to take the value (as present in the header field, e.g. the base64-encoded [RFC4648] version minus any leading and trailing whitespace), and concatenate this with the Globally Unique Identifier (GUID, [RFC4122]) "258EAFA5-E914-47DA-95CA-C5AB0DC85B11" in string form, which is unlikely to be used by network endpoints that do not understand the WebSocket protocol. A SHA-1 hash (160 bits), base64-encoded (see Section 4 of [RFC4648]), of this concatenation is then returned in the server's handshake [FIPS.180-2.2002].
这是我无法理解的事情:为什么不简单地返回代码 101?如果正确使用 Sec-WebSocket-Key 是为了安全,或者是为了证明它们可以处理 websocket 请求,那么任何服务器都可以根据需要返回预期的密钥,并假装它们是 WebSocket 服务器.
Here's the thing I can't understand: why not simply return code 101? If the proper use of Sec-WebSocket-Key is for security, or to prove they can handle websocket requests, then any server could return the expected key if they wanted to, and pretend they are a WebSocket server.
推荐答案
根据 RFC 6455 Websocket 标准
According to RFC 6455 Websocket standard
第一部分:
.. the server has to prove to the client that it received the
client's WebSocket handshake, so that the server doesn't accept
connections that are not WebSocket connections. This prevents an
attacker from tricking a WebSocket server by sending it carefully
crafted packets using XMLHttpRequest [XMLHttpRequest] or a form
submission.
...
For this header field, the server has to take the value (as present
in the header field, e.g., the base64-encoded [RFC4648] version minus
any leading and trailing whitespace) and concatenate this with the
Globally Unique Identifier (GUID, [RFC4122]) "258EAFA5-E914-47DA-
95CA-C5AB0DC85B11" in string form, which is unlikely to be used by
network endpoints that do not understand the WebSocket Protocol.
第二部分:
The |Sec-WebSocket-Key| header field is used in the WebSocket opening
handshake. It is sent from the client to the server to provide part
of the information used by the server to prove that it received a
valid WebSocket opening handshake. This helps ensure that the server
does not accept connections from non-WebSocket clients (e.g., HTTP
clients) that are being abused to send data to unsuspecting WebSocket
servers.
因此,由于标准中指定了 GUID 的值,因此不知道 Websockets 的服务器不太可能(可能,概率很小)会使用它.它不提供任何安全性(安全 websockets - wss://- 提供),它只是确保服务器理解 websockets 协议.
So, as the value of the GUID is specified in the standard, it is unlikely (possible, put with very small probability) that the server which is not aware of Websockets will use it. It does not provide any security (secure websockets - wss:// - does), it just ensures that server understands websockets protocol.
实际上,正如您所提到的,如果您知道 websockets(这是要检查的内容),您可以通过发送正确的响应假装是一个 websocket 服务器.但是,如果您不正确地采取行动(例如正确地形成框架),它将被视为违反协议.其实,你可以写一个不正确的websocket服务器,但是用处不大.
Really, as you've mentioned, if you are aware of websockets (that's what to be checked), you could pretend to be a websocket server by sending correct response. But then, if you will not act correctly (e.g. form frames correctly), it will be considered as a protocol violation. Actually, you can write a websocket server that is incorrect, but there will be not much use in it.
另一个目的是防止客户端意外请求 websockets 升级而不期望它(例如,通过手动添加相应的标头然后期望其他).禁止在浏览器中使用 setRequestHeader 方法设置 Sec-WebSocket-Key 和其他相关标头.
And another purpose is to prevent clients accidentally requesting websockets upgrade not expecting it (say, by adding corresponding headers manually and then expecting smth else). Sec-WebSocket-Key and other related headers are prohibited to be set using setRequestHeader method in browsers.
这篇关于Sec-WebSocket-Key 有什么用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
