Intent to Ship: WebSocket: permit connection reuse for auth

115 views
Skip to first unread message

Adam Rice

unread,
Oct 11, 2018, 8:41:16 AM10/11/18
to blink-dev

Contact emails
ri...@chromium.org

Spec
https://tools.ietf.org/html/rfc6455 (the WebSocket protocol)

https://tools.ietf.org/html/rfc4559 (HTTP "Negotiate" authentication)


Summary
This is a network-only change. I am using the Blink process because it is exposed to servers via changed behaviour.


When receiving a 401 or 407 HTTP response during the WebSocket handshake, Chrome will attempt to continue authentication on the same socket.

Windows HTTP authentication usually requires a single connection be reused in order for authentication to succeed. Up until now, Chrome has always closed the connection on a 401 status response, so Windows authentication has not worked.


Windows HTTP authentication is documented in RFC 4559. Its connection-level authentication is controversial, but widely supported by browsers, including Chrome for ordinary HTTP.

Windows authentication support is mostly useful in enterprise environments where single-sign-on is used.


Link to “Intent to Implement” blink-dev discussion

https://groups.google.com/a/chromium.org/d/msg/blink-dev/KHSDQyr1ggA/f5kLDYPeAwAJ

Motivation
Lack of support for Windows single-sign-on causes interoperability problems. Implementers are forced to either provide a degraded user experience for Chrome users, or not support Chrome at all.

Interoperability risk
Firefox: Shipped
Edge: Shipped
Safari: No public signals
Web developers: Strongly positive (issue has 53 stars)

This change will improve interoperability by bringing Chrome's behaviour in line with Firefox and Edge.


Safari does not support HTTP authentication at all, so naturally it doesn't support Windows HTTP authentication.

Compatibility risk
There is a risk that servers will be confused by connection reuse where previously there was none. For this reason, we only perform connection reuse after responses with 401 and 407 HTTP status codes.


A series of Finch trials were used to validate web compatibility. The experiments showed no significant negative impact on metrics or stability. A detailed write-up of the largest experiment is here: https://docs.google.com/document/d/1Fd-QlauKWWhHjO-8Xsl-3EGH_f6T_w3as_JhdoqHCEA/edit. There is evidence that the change results in a small increase in the total number of WebSocket connections attempted.


Standard-compliance of this change is supported by the following paragraph in the WebSocket RFC, section 4.1:

  1. If the status code received from the server is not 101, the
       client handles the response per HTTP [RFC2616] procedures.  In
       particular, the client might perform authentication if it
       receives a 401 status code; the server might redirect the client
       using a 3xx status code (but clients are not required to follow
       them), etc.  Otherwise, proceed as follows.


Co-author of the WebSocket RFC Alexey Melnikov confirms that this behaviour accords with the spirit of the text: https://groups.google.com/a/chromium.org/d/msg/blink-dev/KHSDQyr1ggA/0Z4rkXY6BAAJ.


Ergonomics

No API changes.


Activation

Developers will be able to use the feature as soon as it is enabled. There is a risk that bugs which were previously hidden by broken authentication will become apparent. There is a small risk that increased traffic could overload some WebSocket-based services.

Ongoing technical constraints
None.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)?
Yes.

OWP launch tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=423609 is the issue for supporting Windows auth for WebSockets. There isn't a specific launch bug.


Link to entry on the Chrome Platform Status
https://www.chromestatus.com/features/4885239100866560


Requesting approval to ship?
Yes

Yoav Weiss

unread,
Oct 12, 2018, 11:52:49 AM10/12/18
to Adam Rice, blin...@chromium.org
Risk seems minimal and results look good!

LGTM1

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAC_ixdyJ5b%2B2HWeUJ6BL%3DPGZtvpmTQTT6OQNOfQD%3DWV84T8Ovw%40mail.gmail.com.

Mike West

unread,
Oct 16, 2018, 3:30:35 AM10/16/18
to Yoav Weiss, Adam Rice, blink-dev
LGTM2.


-mike


To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEiUWeNS%3D6mJqwY63-Ebhg9jFfeL4X-5vBoXoK2Qcvhh9A%40mail.gmail.com.

Philip Jägenstedt

unread,
Oct 16, 2018, 8:18:55 AM10/16/18
to Mike West, Yoav Weiss, Adam Rice, blink-dev
LGTM3, fixing highly starred bugs is great :)

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3De_t%2Bo5Fw2UkSU7eT%2BcqO5uGZDeVpJRkY0xx%2BP8j79ODg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages