draft-ietf-xmpp-websocket-01.txt   draft-ietf-xmpp-websocket-02.txt 
XMPP Working Group L. Stout, Ed. XMPP Working Group L. Stout, Ed.
Internet-Draft &yet Internet-Draft &yet
Intended status: Standards Track J. Moffitt Intended status: Standards Track J. Moffitt
Expires: August 18, 2014 Mozilla Expires: September 15, 2014 Mozilla
E. Cestari E. Cestari
cstar industries cstar industries
February 14, 2014 March 14, 2014
An XMPP Sub-protocol for WebSocket An XMPP Sub-protocol for WebSocket
draft-ietf-xmpp-websocket-01 draft-ietf-xmpp-websocket-02
Abstract Abstract
This document defines a binding for the XMPP protocol over a This document defines a binding for the XMPP protocol over a
WebSocket transport layer. A WebSocket binding for XMPP provides WebSocket transport layer. A WebSocket binding for XMPP provides
higher performance than the current HTTP binding for XMPP. higher performance than the current HTTP binding for XMPP.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2014. This Internet-Draft will expire on September 15, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
3.2. Messages . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Messages . . . . . . . . . . . . . . . . . . . . . . . . 4
3.3. XMPP Stream Setup . . . . . . . . . . . . . . . . . . . . 4 3.3. XMPP Stream Setup . . . . . . . . . . . . . . . . . . . . 4
3.4. Stream Errors . . . . . . . . . . . . . . . . . . . . . . 5 3.4. Stream Errors . . . . . . . . . . . . . . . . . . . . . . 5
3.5. Closing the Connection . . . . . . . . . . . . . . . . . 5 3.5. Closing the Connection . . . . . . . . . . . . . . . . . 5
3.5.1. see-other-uri . . . . . . . . . . . . . . . . . . . . 6 3.5.1. see-other-uri . . . . . . . . . . . . . . . . . . . . 6
3.6. Stanzas . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.6. Stanzas . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.7. Stream Restarts . . . . . . . . . . . . . . . . . . . . . 7 3.7. Stream Restarts . . . . . . . . . . . . . . . . . . . . . 7
3.8. Pings and Keepalives . . . . . . . . . . . . . . . . . . 7 3.8. Pings and Keepalives . . . . . . . . . . . . . . . . . . 7
3.9. Use of TLS . . . . . . . . . . . . . . . . . . . . . . . 8 3.9. Use of TLS . . . . . . . . . . . . . . . . . . . . . . . 8
3.10. Stream Management . . . . . . . . . . . . . . . . . . . . 8 3.10. Stream Management . . . . . . . . . . . . . . . . . . . . 8
4. Discovering Connection Method . . . . . . . . . . . . . . . . 8 4. Discovering the WebSocket Connection Method . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
5.1. WebSocket Subprotocol Name . . . . . . . . . . . . . . . 9 5.1. WebSocket Subprotocol Name . . . . . . . . . . . . . . . 9
5.2. URN Sub-Namespace . . . . . . . . . . . . . . . . . . . . 9 5.2. URN Sub-Namespace . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. XML Schema . . . . . . . . . . . . . . . . . . . . . 11 Appendix A. XML Schema . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
Applications using XMPP (see [RFC6120] and [RFC6121]) on the Web Applications using the Extensible Messaging and Presence Protocol
currently make use of BOSH (see [XEP-0124] and [XEP-0206]), an XMPP (XMPP) (see [RFC6120] and [RFC6121]) on the Web currently make use of
binding to HTTP. BOSH is based on the HTTP long polling technique, BOSH (see [XEP-0124] and [XEP-0206]), an XMPP binding to HTTP. BOSH
and it suffers from high transport overhead compared to XMPP's native is based on the HTTP long polling technique, and it suffers from high
binding to TCP. In addition, there are a number of other known transport overhead compared to XMPP's native binding to TCP. In
issues with long polling [RFC6202], which have an impact on BOSH- addition, there are a number of other known issues with long polling
based systems. [RFC6202], which have an impact on BOSH-based systems.
It would be much better in most circumstances to avoid tunneling XMPP It would be much better in most circumstances to avoid tunneling XMPP
over HTTP long polled connections and instead use the XMPP protocol over HTTP long polled connections and instead use the XMPP protocol
directly. However, the APIs and sandbox that browsers have provided directly. However, the APIs and sandbox that browsers have provided
do not allow this. The WebSocket protocol [RFC6455] now exists to do not allow this. The WebSocket protocol [RFC6455] exists to solve
solve these kinds of problems. The WebSocket protocol is a bi- these kinds of problems. The WebSocket protocol is a bidirectional
directional protocol that provides a simple message-based framing protocol that provides a simple message-based framing layer over raw
layer over raw sockets and allows for more robust and efficient sockets and allows for more robust and efficient communication in web
communication in web applications. applications.
The WebSocket protocol enables two-way communication between a client The WebSocket protocol enables two-way communication between a client
and a server, effectively emulating TCP at the application layer and and a server, effectively emulating TCP at the application layer and
therefore overcoming many of the problems with existing long-polling therefore overcoming many of the problems with existing long-polling
techniques for bidirectional HTTP. This document defines a WebSocket techniques for bidirectional HTTP. This document defines a WebSocket
sub-protocol for the Extensible Messaging and Presence Protocol sub-protocol for XMPP.
(XMPP).
2. Terminology 2. Terminology
The basic unit of framing in the WebSocket protocol is called a The basic unit of framing in the WebSocket protocol is called a
message. In XMPP, the basic unit is the stanza, which is a subset of message. In XMPP, the basic unit is the stanza, which is a subset of
the first-level children of each document in an XMPP stream (see the first-level children of each document in an XMPP stream (see
Section 9 of [RFC6120]). XMPP also has a concept of messages, which Section 9 of [RFC6120]). XMPP also has a concept of messages, which
are stanzas whose top-level element name is message. In this are stanzas with a top-level element of <message/>. In this
document, the word "message" will mean a WebSocket message, not an document, the word "message" will mean a WebSocket message, not an
XMPP message stanza (see Section 3.2). XMPP message stanza, unless otherwise noted.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. XMPP Sub-Protocol 3. XMPP Sub-Protocol
3.1. Handshake 3.1. Handshake
The XMPP sub-protocol is used to transport XMPP over a WebSocket The XMPP sub-protocol is used to transport XMPP over a WebSocket
skipping to change at page 4, line 35 skipping to change at page 4, line 35
to="example.com" to="example.com"
version="1.0" /> version="1.0" />
3.2. Messages 3.2. Messages
Data frame messages in the XMPP sub-protocol MUST be of the text type Data frame messages in the XMPP sub-protocol MUST be of the text type
and contain UTF-8 encoded data. The close control frame's contents and contain UTF-8 encoded data. The close control frame's contents
are specified in Section 3.5. Control frames other than close are are specified in Section 3.5. Control frames other than close are
not restricted. not restricted.
Unless noted in text, the word "message" will mean a WebSocket
message composed of text data frames.
3.3. XMPP Stream Setup 3.3. XMPP Stream Setup
The first message sent after the handshake is complete MUST be an The first message sent after the handshake is complete MUST be an
<open /> element using the "urn:ietf:params:xml:ns:xmpp-framing" <open/> element qualified by the "urn:ietf:params:xml:ns:xmpp-
namespace, whose 'from', 'id', 'to' and 'version' attributes framing" namespace. The 'from', 'id', 'to', and 'version' attributes
mirror those in the XMPP opening stream tag as defined for the of this element mirror those of the XMPP opening stream tag as
'http://etherx.jabber.org/streams' namespace in XMPP [RFC6120]. The defined for the 'http://etherx.jabber.org/streams' namespace in XMPP
'<' character of the open tag MUST be the first character of the text [RFC6120]. The '<' character of the open tag MUST be the first
payload. character of the text payload.
The server MUST respond with an <open /> element, or a <close /> The server MUST respond with an <open /> element, or a <close />
element (see Section 3.5.1). element (see Section 3.5.1).
Clients MUST NOT attempt to multiplex XMPP streams for multiple JIDs Clients MUST NOT attempt to multiplex XMPP streams for multiple JIDs
over the same WebSocket. over the same WebSocket.
3.4. Stream Errors 3.4. Stream Errors
Stream level errors in XMPP are terminal. Should such an error Stream level errors in XMPP are terminal. Should such an error
skipping to change at page 5, line 24 skipping to change at page 5, line 21
If the error occurs during the opening of a stream, the server MUST If the error occurs during the opening of a stream, the server MUST
send the initial open element response, followed by the stream level send the initial open element response, followed by the stream level
error in a second WebSocket message frame. The server MUST then error in a second WebSocket message frame. The server MUST then
close the connection as specified in Section 3.5. close the connection as specified in Section 3.5.
3.5. Closing the Connection 3.5. Closing the Connection
Either the server or the client may close the connection at any time. Either the server or the client may close the connection at any time.
Before closing the connection, the closing party SHOULD close the Before closing the connection, the closing party SHOULD close the
XMPP stream, if it has been established, by sending a message with XMPP stream, if it has been established, by sending a message with
the <close /> element, qualified by the "urn:ietf:params:xml:ns:xmpp- the <close/> element, qualified by the "urn:ietf:params:xml:ns:xmpp-
framing" namespace. The stream is considered closed when a framing" namespace. The stream is considered closed when a
corresponding <close/> element is received from the other party. corresponding <close/> element is received from the other party.
To initiate closing the WebSocket connection, the closing party MUST To initiate closing the WebSocket connection, the closing party MUST
send a normal WebSocket close message with an empty body. The send a normal WebSocket close message with an empty body. The
connection is considered closed when a matching close message is connection is considered closed when a matching close message is
received (see Section 1.4 of [RFC6455]). received (see Section 1.4 of [RFC6455]).
An example of ending an XMPP over WebSocket session by first closing An example of ending an XMPP over WebSocket session by first closing
the XMPP stream layer and then the WebSocket connection layer: the XMPP stream layer and then the WebSocket connection layer:
skipping to change at page 6, line 17 skipping to change at page 6, line 15
on server policy, as specified in [XEP-0198]. If the client has not on server policy, as specified in [XEP-0198]. If the client has not
negotiated the use of [XEP-0198], there is no distinction between a negotiated the use of [XEP-0198], there is no distinction between a
stream that was closed as described above and a simple disconnection; stream that was closed as described above and a simple disconnection;
the stream is then considered implicitly closed and the XMPP session the stream is then considered implicitly closed and the XMPP session
ended. ended.
3.5.1. see-other-uri 3.5.1. see-other-uri
If the server (or a connection mananger intermediary) wishes to If the server (or a connection mananger intermediary) wishes to
instruct the client to move to a different WebSocket endpoint (e.g. instruct the client to move to a different WebSocket endpoint (e.g.
for load balancing purposes), the server MAY send a <close /> element for load balancing purposes), the server MAY send a <close/> element
and set the "see-other-uri" attribute to the URI of the new WebSocket and set the "see-other-uri" attribute to the URI of the new WebSocket
endpoint. endpoint.
Clients MUST NOT accept suggested endpoints with a lower security Clients MUST NOT accept suggested endpoints with a lower security
context (e.g. moving from a "wss://" endpoint to a "ws://" endpoint). context (e.g. moving from a "wss://" endpoint to a "ws://" endpoint).
An example of the server closing a stream and instructing the client An example of the server closing a stream and instructing the client
to connect at a different WebSocket endpoint: to connect at a different WebSocket endpoint:
S: <close xmlns="urn:ietf:params:xml:ns:xmpp-framing" S: <close xmlns="urn:ietf:params:xml:ns:xmpp-framing"
see-other-uri="wss://otherendpoint.example/xmpp-bind" /> see-other-uri="wss://otherendpoint.example/xmpp-bind" />
3.6. Stanzas 3.6. Stanzas
Every XMPP stanza or other XML element sent directly over the XMPP Every XMPP stanza or other XML element sent directly over the XMPP
stream (e.g. <features xmlns="http://etherx.jabber.org/streams" />) stream (e.g. <features xmlns="http://etherx.jabber.org/streams"/>)
MUST be sent in its own message. As such, every WebSocket text MUST be sent in its own message. As such, every WebSocket text
message that is received MUST be a complete and parsable XML message that is received MUST be a complete and parsable XML
fragment, with all relevant xmlns and xml:lang declarations fragment, with all relevant xmlns and xml:lang declarations
specified. specified.
As it is already mandated that the content of each message is UTF-8 As it is already mandated that the content of each message is UTF-8
encoded, XML text declarations SHOULD NOT be included in messsages. encoded, XML text declarations SHOULD NOT be included in messages.
Examples of WebSocket messages that contain independently parsable Examples of WebSocket messages that contain independently parsable
XML fragments (note that for stream features and errors, there is no XML fragments (note that for stream features and errors, there is no
parent context element providing the "stream" namespace prefix as in parent context element providing the "stream" namespace prefix as in
[RFC6120], and thus the stream namespace MUST be declared): [RFC6120], and thus the stream namespace MUST be declared):
<features xmlns="http://etherx.jabber.org/streams"> <features xmlns="http://etherx.jabber.org/streams">
<bind xmlns="urn:ietf:params:xml:ns:xmpp-bind" /> <bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/>
</features> </features>
<error xmlns="http://etherx.jabber.org/streams"> <error xmlns="http://etherx.jabber.org/streams">
<host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/> <host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</error> </error>
<message xmlns="jabber:client" xml:lang="en"> <message xmlns="jabber:client" xml:lang="en">
<body>Every WebSocket message is parsable by itself.</body> <body>Every WebSocket message is parsable by itself.</body>
</message> </message>
3.7. Stream Restarts 3.7. Stream Restarts
After successful SASL authentication, an XMPP stream needs to be After successful SASL authentication, an XMPP stream needs to be
restarted. In these cases, as soon as the message is sent (or restarted. In these cases, as soon as the message is sent (or
received) containing the success indication, both the server and received) containing the success indication, both the server and
client streams are implicitly closed, and new streams need to be client streams are implicitly closed, and new streams need to be
opened. The client MUST open a new stream as in Section 3.3 and MUST opened. The client MUST open a new stream as in Section 3.3 and MUST
NOT send a closing <close /> element. NOT send a closing <close/> element.
S: <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl" /> S: <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl" />
[Streams implicitly closed] [Streams implicitly closed]
C: <open xmlns="urn:ietf:params:xml:ns:xmpp-framing" C: <open xmlns="urn:ietf:params:xml:ns:xmpp-framing"
to="example.com" to="example.com"
version="1.0" /> version="1.0" />
3.8. Pings and Keepalives 3.8. Pings and Keepalives
XMPP servers send whitespace pings as keepalives between stanzas, and XMPP servers often send "whitespace keepalives" (see Section 4.6.1 of
XMPP clients can do the same as these extra whitespace characters are [RFC6120]) between stanzas to maintain an XML stream, and XMPP
not significant in the protocol. Servers and clients SHOULD use clients can do the same as these extra whitespace characters are not
significant in the protocol. Servers and clients SHOULD use
WebSocket ping control frames instead for this purpose. WebSocket ping control frames instead for this purpose.
In some cases, the WebSocket connection might be served by an In some cases, the WebSocket connection might be served by an
intermediary connection manager and not the XMPP server. In these intermediary connection manager and not the XMPP server. In these
situations, the use of WebSocket ping messages are insufficient to situations, the use of WebSocket ping messages are insufficient to
test that the XMPP stream is still alive. Both the XMPP Ping test that the XMPP stream is still alive. Both the XMPP Ping
extension [XEP-0199] and the XMPP Stream Management extension extension [XEP-0199] and the XMPP Stream Management extension
[XEP-0198] provide mechanisms to ping the XMPP server, and either [XEP-0198] provide mechanisms to ping the XMPP server, and either
extension (or both) MAY be used to determine the state of the extension (or both) MAY be used to determine the state of the
connection. connection.
3.9. Use of TLS 3.9. Use of TLS
TLS cannot be used at the XMPP sub-protocol layer because the sub- TLS cannot be used at the XMPP sub-protocol layer because the sub-
protocol does not allow for raw binary data to be sent. Instead, protocol does not allow for raw binary data to be sent. Instead,
enabling TLS SHOULD be done at the WebSocket layer using secure enabling TLS SHOULD be done at the WebSocket layer using secure
WebSocket connections via the |wss| URI scheme. (See Section 10.6 of WebSocket connections via the |wss| URI scheme. (See Section 10.6 of
[RFC6455]). [RFC6455].)
Because TLS is to be provided outside of the XMPP sub-protocol layer, Because TLS is to be provided outside of the XMPP sub-protocol layer,
a server MUST NOT advertise TLS as a stream feature (see Section 4.6 a server MUST NOT advertise TLS as a stream feature (see Section 4.6
of [RFC6120]), and a client MUST ignore any advertised TLS stream of [RFC6120]), and a client MUST ignore any advertised TLS stream
feature, when using the XMPP sub-protocol. feature, when using the XMPP sub-protocol.
3.10. Stream Management 3.10. Stream Management
In order to alleviate the problems of temporary disconnections, the In order to alleviate the problems of temporary disconnections, the
XMPP Stream Management extension [XEP-0198] MAY be used to confirm XMPP Stream Management extension [XEP-0198] MAY be used to confirm
when stanzas have been received by the server. when stanzas have been received by the server.
In particular, the use of session resumption in [XEP-0198] MAY be In particular, the use of session resumption in [XEP-0198] MAY be
used to allow for recreating the same stream session state after a used to allow for recreating the same stream session state after a
temporary network unavailability or after navigating to a new URL in temporary network unavailability or after navigating to a new URL in
a browser. a browser.
4. Discovering Connection Method 4. Discovering the WebSocket Connection Method
The XMPP extension Discovering Alternate XMPP Connection Methods Section 3 of [RFC6120] defines a procedure for connecting to an XMPP
[XEP-0156] provides mechanisms to discover the additional information server, including ways to discover the TCP/IP address and port of the
needed to connect to an XMPP server outside of the procedure defined server. When using the WebSocket binding as specified in this
in in Section 3 of [RFC6120]. document (instead of the TCP binding as specified in [RFC6120]), a
client needs an alternative way to discover information about the
server's connection methods, since web browsers and other WebSocket-
capable software applications typically cannot obtain such
information from the Domain Name System.
Servers MAY expose such discovery information, and clients MAY use The alternative lookup process uses Web Host Metadata [RFC6415] and
such information to determine the WebSocket endpoint for a server. Web Linking [RFC5988], where the link relation type is "urn:xmpp:alt-
connections:websocket" as described in Discovering Alternate XMPP
Connection Methods [XEP-0156]. An example follows.
Use of the HTTP lookup method in [XEP-0156] MAY be used to establish <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'>
trust between the XMPP server domain and the WebSocket endpoint, <Link rel="urn:xmpp:alt-connections:websocket"
particularly in multi-tenant situations where the same WebSocket href="wss://webcm.example.net:443/ws" />
endpoint is serving multiple XMPP domains. </XRD>
Servers MAY expose discovery information using host-meta documents,
and clients MAY use such information to determine the WebSocket
endpoint for a server.
Use of web-host metadata MAY be used to establish trust between the
XMPP server domain and the WebSocket endpoint, particularly in multi-
tenant situations where the same WebSocket endpoint is serving
multiple XMPP domains.
5. IANA Considerations 5. IANA Considerations
5.1. WebSocket Subprotocol Name 5.1. WebSocket Subprotocol Name
This specification requests IANA to register the WebSocket XMPP sub- This specification requests IANA to register the WebSocket XMPP sub-
protocol under the "WebSocket Subprotocol Name" Registry with the protocol under the "WebSocket Subprotocol Name" Registry with the
following data: following data:
Subprotocol Identifier: xmpp Subprotocol Identifier: xmpp
Subprotocol Common Name: WebSocket Transport for the Extensible Subprotocol Common Name: WebSocket Transport for the Extensible
Messaging and Presence Protocol (XMPP) Messaging and Presence Protocol (XMPP)
skipping to change at page 9, line 15 skipping to change at page 9, line 26
This specification requests IANA to register the WebSocket XMPP sub- This specification requests IANA to register the WebSocket XMPP sub-
protocol under the "WebSocket Subprotocol Name" Registry with the protocol under the "WebSocket Subprotocol Name" Registry with the
following data: following data:
Subprotocol Identifier: xmpp Subprotocol Identifier: xmpp
Subprotocol Common Name: WebSocket Transport for the Extensible Subprotocol Common Name: WebSocket Transport for the Extensible
Messaging and Presence Protocol (XMPP) Messaging and Presence Protocol (XMPP)
Subprotocol Definition: RFC XXXX Subprotocol Definition: this document
[[ NOTE TO RFC EDITOR: Please replace "XXXX" with the number assigned
to this document upon publication as an RFC. ]]
5.2. URN Sub-Namespace 5.2. URN Sub-Namespace
A URN sub-namespace for framing of Extensible Messaging and Presence A URN sub-namespace for framing of Extensible Messaging and Presence
Protocol (XMPP) streams is defined as follows. Protocol (XMPP) streams is defined as follows.
URI: urn:ietf:params:xml:ns:xmpp-framing URI: urn:ietf:params:xml:ns:xmpp-framing
Specification: RFC XXXX Specification: this document
Description: This is the XML namespace name for framing of Description: This is the XML namespace name for framing of
Extensible Messaging and Presence Protocol (XMPP) streams as Extensible Messaging and Presence Protocol (XMPP) streams as
defined by RFC XXXX. defined by RFC XXXX.
Registrant Contact: IESG <iesg@ietf.org> Registrant Contact: IESG <iesg@ietf.org>
[[ NOTE TO RFC EDITOR: Please replace "XXXX" with the number assigned
to this document upon publication as an RFC. ]]
6. Security Considerations 6. Security Considerations
Since application level TLS cannot be used (see Section 3.9), Since application level TLS cannot be used (see Section 3.9),
applications which need to protect the privacy of the XMPP traffic applications need to protect the privacy of XMPP traffic at the
need to do so at the WebSocket or other appropriate layer. WebSocket or other appropriate layer.
Browser based applications are not able to inspect and verify at the Browser based applications are not able to inspect and verify at the
application layer the certificate used for the WebSocket connection application layer the certificate used for the WebSocket connection
to ensure that it corresponds to the domain specified as the "to" to ensure that it corresponds to the domain specified as the "to"
address of the XMPP stream. For hosts whose domain matches the address of the XMPP stream. For hosts whose domain matches the
origin for the WebSocket connection, that check is already performed origin for the WebSocket connection, that check is already performed
by the browser. However, in situations where the domain of the XMPP by the browser. However, in situations where the domain of the XMPP
server might not match the origin for the WebSocket endpoint server might not match the origin for the WebSocket endpoint
(especially multi-tenant hosting situations), the HTTP discovery (especially multi-tenant hosting situations), the web host metadata
method in [XEP-0156] MAY be used to delegate trust from the XMPP method (see [RFC6415] and [XEP-0156]) MAY be used to delegate trust
server domain to the WebSocket origin. from the XMPP server domain to the WebSocket origin.
When presented with a new WebSocket endpoint via the "see-other-uri" When presented with a new WebSocket endpoint via the "see-other-uri"
attribute of a <close/> element, clients MUST NOT accept the attribute of a <close/> element, clients MUST NOT accept the
suggestion if the security context of the new endpoint is lower than suggestion if the security context of the new endpoint is lower than
the current one in order to prevent downgrade attacks from a "wss://" the current one in order to prevent downgrade attacks from a "wss://"
endpoint to "ws://". endpoint to "ws://".
The Security Considerations for both WebSocket (see Section 10 of The Security Considerations for both WebSocket (see Section 10 of
[RFC6455] and XMPP (see Section 13 of [RFC6120]) apply to the [RFC6455] and XMPP (see Section 13 of [RFC6120]) apply to the
WebSocket XMPP sub-protocol. WebSocket XMPP sub-protocol.
skipping to change at page 10, line 27 skipping to change at page 10, line 32
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 6120, March 2011. Protocol (XMPP): Core", RFC 6120, March 2011.
[XEP-0156] [RFC6455] Fette, I. and A. Melnikov, "The WebSocket Protocol", RFC
Hildebrand, J., Saint-Andre, P., and L. Stout, 6455, December 2011.
"Discovering Alternative XMPP Connection Methods", XSF XEP
0156, January 2014.
7.2. Informative References 7.2. Informative References
[RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010.
[RFC6121] Saint-Andre, P., "Extensible Messaging and Presence [RFC6121] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Instant Messaging and Presence", RFC Protocol (XMPP): Instant Messaging and Presence", RFC
6121, March 2011. 6121, March 2011.
[RFC6202] Loreto, S., Saint-Andre, P., Salsano, S., and G. Wilkins, [RFC6202] Loreto, S., Saint-Andre, P., Salsano, S., and G. Wilkins,
"Known Issues and Best Practices for the Use of Long "Known Issues and Best Practices for the Use of Long
Polling and Streaming in Bidirectional HTTP", RFC 6202, Polling and Streaming in Bidirectional HTTP", RFC 6202,
April 2011. April 2011.
[RFC6455] Fette, I. and A. Melnikov, "The WebSocket Protocol", RFC [RFC6415] Hammer-Lahav, E. and B. Cook, "Web Host Metadata", RFC
6455, December 2011. 6415, October 2011.
[XEP-0124] [XEP-0124]
Paterson, I., Smith, D., Saint-Andre, P., Moffitt, J., and Paterson, I., Smith, D., Saint-Andre, P., Moffitt, J., and
L. Stout, "Bidirectional-streams Over Synchronous HTTP L. Stout, "Bidirectional-streams Over Synchronous HTTP
(BOSH)", XSF XEP 0124, November 2013. (BOSH)", XSF XEP 0124, November 2013.
[XEP-0156]
Hildebrand, J., Saint-Andre, P., and L. Stout,
"Discovering Alternative XMPP Connection Methods", XSF XEP
0156, January 2014.
[XEP-0198] [XEP-0198]
Karneges, J., Saint-Andre, P., Hildebrand, J., Forno, F., Karneges, J., Saint-Andre, P., Hildebrand, J., Forno, F.,
Cridland, D., and M. Wild, "Stream Management", XSF XEP Cridland, D., and M. Wild, "Stream Management", XSF XEP
0198, June 2011. 0198, June 2011.
[XEP-0199] [XEP-0199]
Saint-Andre, P., "XMPP Ping", XSF XEP 0199, June 2009. Saint-Andre, P., "XMPP Ping", XSF XEP 0199, June 2009.
[XEP-0206] [XEP-0206]
Paterson, I., Saint-Andre, P., and L. Stout, "XMPP Over Paterson, I., Saint-Andre, P., and L. Stout, "XMPP Over
skipping to change at page 11, line 48 skipping to change at page 12, line 9
elementFormDefault='unqualified'> elementFormDefault='unqualified'>
<xs:element name='open'> <xs:element name='open'>
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base='empty'> <xs:extension base='empty'>
<xs:attribute name='from' type='xs:string' <xs:attribute name='from' type='xs:string'
use='optional'/> use='optional'/>
<xs:attribute name='id' type='xs:string' <xs:attribute name='id' type='xs:string'
use='optional'/> use='optional'/>
<xs:attribute name='see-other-uri' type='xs:anyURI'
use='optional'/>
<xs:attribute name='to' type='xs:string' <xs:attribute name='to' type='xs:string'
use='optional'/> use='optional'/>
<xs:attribute name='version' type='xs:decimal' <xs:attribute name='version' type='xs:decimal'
use='optional'/> use='optional'/>
<xs:attribute ref='xml:lang' <xs:attribute ref='xml:lang'
use='optional'/> use='optional'/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
 End of changes. 36 change blocks. 
74 lines changed or deleted 83 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/