Introduction to WebSockets
By @cssaddict
whoami
- Connor McKelvey
- Twitter: @cssaddict
- Website: connormckelvey.com
- Front-end Developer
- Mediocre Guitar Player
- Apple Fan-boy
Brief History of Realtime Web Apps
- Hidden Iframe
- XMLHttpRequest
- Shipped in IE 1999
- In all Major Browsers by 2005
- Long Polling, HTTP Streaming
- Used to push data to the client
- Websockets
What's a WebSocket
The Protocol
Websocket is a IETF-defined protocol that provides full-duplex communications channels over a single TCP connection.
The API
The W3C-degined API enables javascript applications to use WebSockets to build efficient, event-driven, real-time applications
Why We Need This
HTTP doesn't cut it
- Request/Response cycle is not ideal for real-time apps
- HTTP is half-duplex communication (like walkie talkies)
- Data sent in headers for each HTTP request
- This adds pointless amounts overhead
- Latency from creating new TCP connections.
What is it good for
- Chat apps
- Social apps (with content feeds)
- Multi-player games
- Collaborative apps
- Financial Applications (bitcoinwisdom.com)
- 3-way data binding
How does it work
- Client makes HTTP request with upgrade header
- Server accepts subprotocol and upgrades connection
- Boom, Websockets.
Demo
Subprotocols
- No headers sent so client and server need to agree on subprotocol.
- Client can provide an array of subprotocols that the server can choose from
- Subprotocol Examples
- XMPP, WAMP, JSON-RPC, REST variants
- Define how data is formatted (JSON, XML)
- Define when client/server should receive a response after sending a message
- Defines a namespace for backwards compatability
var connection = new WebSocket('ws://localhost:1337',
['wamp', 'xmpp', ''example.com/v2]);I Can Haz WebSockets?
Yes, with Polyfill or Fallback
- web-socket-js - Falls back to Flash Socket
- sockjs-client - Falls back to XHR-Streaming and Long Polling
-
socket.io - Transports include to Flash Socket, XHR-Steaming, Long Polling, Iframe Messaging, JSONP Polling
WebSocket Security
- Use wss://
- encrypted with SSL/TLS and prevent MitM attacks
- Avoid tunneling other TCP services
- XSS attacks can lead to complete remote breaches
- Validate client input
- SQL injection is possible over WS as in HTTP
- Validate server data
- Use JSON.parse()
- Never evaluate as code
- Never apply directly to DOM (like I did in my example.)
WebSocket Security Continued
- Authenticate connections --
- initial HTTP Ugrade request sends cookies, so use them.
- Create expiring tokens for connections
- Valide Origin header
- Easily spoofed but do it anyway
- DOS Attacks --Client can open unlimited connections
- CloudFlare supports WS
- Don't do resource intensive stuff with WS
- Again, Authenticate connections and deny as needed
WebSocket Issues
- Proxies and Firewalls may kill connection or Upgrade may fail
- Enterprise proxies not up to date with WebSockets
- Traffic doesn't loop like HTTP traffic
- Connection header is stripped
- Using WSS:// prevents connection from being interpreted by intermediary proxies.
- Proxies not by default configured to handle WS but can be.
WebSocket Issues
- Keeping connections alive can be difficult
- Both Client and Server could go away
- Unreliable internet
- Wireless connection may fade out
- Error handing is extremely important
- Let user know
- Offline mode with local storage and Sync later
- Don't know if information has been received on other side, (This is what subprotocol are for)
Resources
- http://www.html5rocks.com/en/tutorials/websockets/basics/
- http://www.infoq.com/presentations/Introduction-WebSocket
- https://devcenter.heroku.com/articles/websocket-security
- http://www.w3.org/TR/2011/WD-websockets-20110929/
- http://blog.teamtreehouse.com/an-introduction-to-websockets
- https://developer.mozilla.org/en-US/docs/WebSockets
Questions?
Introduction to WebSockets
By Connor Finn McKelvey
