Community
Participate
Working Groups
Build Identifier: 8.0.0.RC0 A CORS (Cross Origin Request) request using a WebSocket in Safari works with 8.0.0.M3 but the same request fails to upgrade due to a change in the Sec-WebSocket-Origin response header. M3 used the Request Origin: header field as value for the Sec-WebSocket-Origin Response RC0 uses the Request Host: header field as value for the Sec-WebSocket-Origin Response Please see WebSocketConnection00.java I can't say which is correct due to my ignorance reading the WebSocket specs. I have upgraded to RC0 due to Google Chrome using WebSocket version 8 which is not available in M3. Reproducible: Always
Created attachment 202225 [details] The WebSocket response using 8.0.0.M3
Created attachment 202226 [details] The WebSocket response using 8.0.0.RC0
The images show the response object before sending it back to the client. It was made from the same client with identical code. You can clearly see the difference for the Sec-WebSocket-Origin field.
I have investigated this a little further. The Implementation for RC0 is probably correct. However, using CrossOriginFilter and removing the WebSocket check I found that it does not work with Safari either: 1. The filter adds Access-Control-Allow-Origin as the first header which may break D00 compatibility 2. Even adding at the end (modification during debugging) does not lead Safari to use the WebSocket, it still says it is now allowed. Finally I found that Safari will accept the WebSocket Upgrade only if Sec-WebSocket-Origin equals the Requests Origin.
Simone, can you check this issue
The situation regarding the "Origin" header is still under discussion on the WebSocket expert group at the IETF. The plan seems to be that WebSocket will comply with CORS regarding cross-origin requests, and therefore the response headers will change again. Given that WebSocket is still in draft, and that browser support is somehow varying in quality and draft versions, glitches are to be expected. I just tried Safari 5.1 (Windows) with Jetty 7.5.1, and it can perform a cross origin request without problems. Given that Jetty 8.0.1 is out (and it has been sync'ed with Jetty 7), can you please give it a try, along with the latest Safari, to see if this issue is still valid ? If it is, then please reopen the bug. Thanks!
(In reply to comment #6) > The situation regarding the "Origin" header is still under discussion on the > WebSocket expert group at the IETF. > > The plan seems to be that WebSocket will comply with CORS regarding > cross-origin requests, and therefore the response headers will change again. > > Given that WebSocket is still in draft, and that browser support is somehow > varying in quality and draft versions, glitches are to be expected. > > I just tried Safari 5.1 (Windows) with Jetty 7.5.1, and it can perform a cross > origin request without problems. > > Given that Jetty 8.0.1 is out (and it has been sync'ed with Jetty 7), can you > please give it a try, along with the latest Safari, to see if this issue is > still valid ? If it is, then please reopen the bug. > > Thanks! It seems to be complicated. I tried 8.0.1.v20110908 from the maven repo. The code I use to Suspend is: @Suspend def stream = { val broadcaster = create new broadcaster new Broadcastable("some message", broadcaster) } This leads to an IllegalStateException in HttpGenerator.java:241 Not sending "some message" keeps Safari waiting until it breaks the connection and my js code downgrades to streaming. Leo.
Leo, there is too much cooking in your example. @Suspend is part of a framework ? Which one ? Are you using Groovy ? Either case, these seems out of scope for this bug. I do not know what the framework you're using does so I cannot help here. Do you have evidence that a standard WebSocket request done in plain JavaScript from Safari is failing agains Jetty 8 ? Thanks!
Fully understood. Sorry, I did not have much time today, so this was just a first test. @Suspend is from the atmosphere framework. The code is scala.
I have tested with the latest SNAPSHOT of atmosphere. Now it works like a charm with Safari and Chrome. Thanks for your help!
