https://en.wikipedia.org/wiki/WebSocket
WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011, and the WebSocket API in Web IDL is being standardized by the W3C.
WebSocket is distinct from HTTP. Both protocols are located at layer 7 in the OSI model and depend on TCP at layer 4. Although they are different, RFC 6455 states that WebSocket "is designed to work over HTTP ports 80 and 443 as well as to support HTTP proxies and intermediaries," thus making it compatible with the HTTP protocol. To achieve compatibility, the WebSocket handshake uses the HTTP Upgrade header to change from the HTTP protocol to the WebSocket protocol.
The WebSocket protocol enables interaction between a web browser (or other client application) and a web server with lower overhead than half-duplex alternatives such as HTTP polling, facilitating real-time data transfer from and to the server. This is made possible by providing a standardized way for the server to send content to the client without being first requested by the client, and allowing messages to be passed back and forth while keeping the connection open. In this way, a two-way ongoing conversation can take place between the client and the server. The communications are done over TCP port number 80 (or 443 in the case of TLS-encrypted connections), which is of benefit for those environments which block non-web Internet connections using a firewall. Similar two-way browser-server communications have been achieved in non-standardized ways using stopgap technologies such as Comet.
Most browsers support the protocol, including Google Chrome, Microsoft Edge, Internet Explorer, Firefox, Safari and Opera.
WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011, and the WebSocket API in Web IDL is being standardized by the W3C.
WebSocket is distinct from HTTP. Both protocols are located at layer 7 in the OSI model and depend on TCP at layer 4. Although they are different, RFC 6455 states that WebSocket "is designed to work over HTTP ports 80 and 443 as well as to support HTTP proxies and intermediaries," thus making it compatible with the HTTP protocol. To achieve compatibility, the WebSocket handshake uses the HTTP Upgrade header to change from the HTTP protocol to the WebSocket protocol.
The WebSocket protocol enables interaction between a web browser (or other client application) and a web server with lower overhead than half-duplex alternatives such as HTTP polling, facilitating real-time data transfer from and to the server. This is made possible by providing a standardized way for the server to send content to the client without being first requested by the client, and allowing messages to be passed back and forth while keeping the connection open. In this way, a two-way ongoing conversation can take place between the client and the server. The communications are done over TCP port number 80 (or 443 in the case of TLS-encrypted connections), which is of benefit for those environments which block non-web Internet connections using a firewall. Similar two-way browser-server communications have been achieved in non-standardized ways using stopgap technologies such as Comet.
Most browsers support the protocol, including Google Chrome, Microsoft Edge, Internet Explorer, Firefox, Safari and Opera.
Overview
Unlike HTTP, WebSocket provides full-duplex communication.
Additionally, WebSocket enables streams of messages on top of TCP. TCP
alone deals with streams of bytes with no inherent concept of a message.
Before WebSocket, port 80 full-duplex communication was attainable
using Comet
channels; however, Comet implementation is nontrivial, and due to the
TCP handshake and HTTP header overhead, it is inefficient for small
messages. The WebSocket protocol aims to solve these problems without
compromising the security assumptions of the web.
The WebSocket protocol specification defines
ws
(WebSocket) and wss
(WebSocket Secure) as two new uniform resource identifier (URI) schemes that are used for unencrypted and encrypted connections, respectively. Apart from the scheme name and fragment (i.e. #
is not supported), the rest of the URI components are defined to use URI generic syntax.
Using browser developer tools, developers can inspect the WebSocket handshake as well as the WebSocket frames.
History
WebSocket was first referenced as TCPConnection in the HTML5 specification, as a placeholder for a TCP-based socket API. In June 2008, a series of discussions were led by Michael Carter that resulted in the first version of the protocol known as WebSocket.
The name "WebSocket" was coined by Ian Hickson and Michael Carter
shortly thereafter through collaboration on the #whatwg IRC chat room,
and subsequently authored for inclusion in the HTML5 specification by
Ian Hickson, and announced on the cometdaily blog by Michael Carter.
In December 2009, Google Chrome 4 was the first browser to ship full
support for the standard, with WebSocket enabled by default. Development of the WebSocket protocol was subsequently moved from the W3C and WHATWG group to the IETF in February 2010, and authored for two revisions under Ian Hickson.
After the protocol was shipped and enabled by default in multiple
browsers, the RFC was finalized under Ian Fette in December 2011.
Browser implementation
A secure version of the WebSocket protocol is implemented in Firefox 6, Safari 6, Google Chrome 14, Opera 12.10 and Internet Explorer 10. A detailed protocol test suite report lists the conformance of those browsers to specific protocol aspects.
An older, less secure version of the protocol was implemented in Opera 11 and Safari 5, as well as the mobile version of Safari in iOS 4.2. The BlackBerry Browser in OS7 implements WebSockets. Because of vulnerabilities, it was disabled in Firefox 4 and 5, and Opera 11.
Protocol, version | Draft date | IE | Firefox (PC) | Firefox (Android) | Chrome (PC, Mobile) | Safari (Mac, iOS) | Opera (PC, Mobile) | Android Browser |
---|---|---|---|---|---|---|---|---|
hixie-75 | February 4, 2010 |
|
|
|
4 | 5.0.0 |
|
|
hixie-76 hybi-00 |
May 6, 2010 May 23, 2010 |
|
4.0 (disabled) |
|
6 | 5.0.1 | 11.00 (disabled) |
|
hybi-07, v7 | April 22, 2011 |
|
6 |
|
|
|
|
|
hybi-10, v8 | July 11, 2011 |
|
7 | 7 | 14 |
|
|
|
RFC 6455, v13 | December, 2011 | 10 | 11 | 11 | 16 | 6 | 12.10 | 4.4 |
Web Server implementation
Nginx has supported WebSockets since 2013, implemented in version 1.3.13 including acting as a reverse proxy and load balancer of WebSocket applications.
Protocol handshake
To
establish a WebSocket connection, the client sends a WebSocket
handshake request, for which the server returns a WebSocket handshake
response, as shown in the example below.
Client request (just like in HTTP, each line ends with
\r\n
and there must be an extra blank line at the end): GET /chat HTTP/1.1
Host: server.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==
Sec-WebSocket-Protocol: chat, superchat
Sec-WebSocket-Version: 13
Origin: http://example.com
Server response:
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=
Sec-WebSocket-Protocol: chat
The handshake starts with an HTTP request/response, allowing servers
to handle HTTP connections as well as WebSocket connections on the same
port. Once the connection is established, communication switches to a
bidirectional binary protocol which does not conform to the HTTP
protocol.
In addition to
Upgrade
headers, the client sends a Sec-WebSocket-Key
header containing base64-encoded random bytes, and the server replies with a hash of the key in the Sec-WebSocket-Accept
header. This is intended to prevent a caching proxy from re-sending a previous WebSocket conversation, and does not provide any authentication, privacy, or integrity. The hashing function appends the fixed string 258EAFA5-E914-47DA-95CA-C5AB0DC85B11
(a GUID) to the value from Sec-WebSocket-Key
header (which is not decoded from base64), applies the SHA-1 hashing function, and encodes the result using base64.
Once the connection is established, the client and server can send WebSocket data or text frames back and forth in full-duplex mode. The data is minimally framed, with a small header followed by payload.[35]
WebSocket transmissions are described as "messages", where a single
message can optionally be split across several data frames. This can
allow for sending of messages where initial data is available but the
complete length of the message is unknown (it sends one data frame after
another until the end is reached and marked with the FIN bit). With
extensions to the protocol, this can also be used for multiplexing
several streams simultaneously (for instance to avoid monopolizing use
of a socket for a single large payload).
Security considerations
Unlike regular cross-domain HTTP requests, WebSocket requests are not restricted by the Same-origin policy.
Therefore WebSocket servers must validate the "Origin" header against
the expected origins during connection establishment, to avoid
Cross-Site WebSocket Hijacking attacks (similar to Cross-site request forgery),
which might be possible when the connection is authenticated with
Cookies or HTTP authentication. It is better to use tokens or similar
protection mechanisms to authenticate the WebSocket connection when
sensitive (private) data is being transferred over the WebSocket.
Proxy traversal
WebSocket protocol client implementations try to detect if the user agent is configured to use a proxy when connecting to destination host and port and, if it is, uses HTTP CONNECT method to set up a persistent tunnel.
While the WebSocket protocol itself is unaware of proxy servers
and firewalls, it features an HTTP-compatible handshake thus allowing
HTTP servers to share their default HTTP and HTTPS ports (80 and 443)
with a WebSocket gateway or server. The WebSocket protocol defines a
ws:// and wss:// prefix to indicate a WebSocket and a WebSocket Secure
connection, respectively. Both schemes use an HTTP upgrade mechanism
to upgrade to the WebSocket protocol. Some proxy servers are
transparent and work fine with WebSocket; others will prevent WebSocket
from working correctly, causing the connection to fail. In some cases,
additional proxy server configuration may be required, and certain proxy
servers may need to be upgraded to support WebSocket.
If unencrypted WebSocket traffic flows through an explicit or a
transparent proxy server without WebSockets support, the connection will
likely fail.
If an encrypted WebSocket connection is used, then the use of Transport Layer Security
(TLS) in the WebSocket Secure connection ensures that an HTTP CONNECT
command is issued when the browser is configured to use an explicit
proxy server. This sets up a tunnel, which provides low-level end-to-end
TCP communication through the HTTP proxy, between the WebSocket Secure
client and the WebSocket server. In the case of transparent proxy
servers, the browser is unaware of the proxy server, so no HTTP CONNECT
is sent. However, since the wire traffic is encrypted, intermediate
transparent proxy servers may simply allow the encrypted traffic
through, so there is a much better chance that the WebSocket connection
will succeed if WebSocket Secure is used. Using encryption is not free
of resource cost, but often provides the highest success rate since it
would be travelling through a secure tunnel.
A mid-2010 draft (version hixie-76) broke compatibility with reverse proxies and gateways by including eight bytes of key data after the headers, but not advertising that data in a
Content-Length: 8
header. This data was not forwarded by all intermediates, which could lead to protocol failure. More recent drafts (e.g., hybi-09) put the key data in a Sec-WebSocket-Key
header, solving this problem.