creativcoder / pywebsocket

Automatically exported from code.google.com/p/pywebsocket
0 stars 0 forks source link

Allow HSTS to work #127

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Mozilla uses mod_pywebsocket for mochitest testing:

* 
http://mxr.mozilla.org/mozilla-central/source/testing/mochitest/pywebsocket/READ
ME-MOZILLA?raw=1
* https://bugzilla.mozilla.org/show_bug.cgi?id=820861#c2

However, we cannot use the existing code as-is as there is a four-line patch we 
need for HSTS.  Please include this patch for HSTS. A pypi version bump would 
also be appreciated.

Index: mod_pywebsocket/handshake/hybi.py
===================================================================
--- mod_pywebsocket/handshake/hybi.py   (revision 718)
+++ mod_pywebsocket/handshake/hybi.py   (working copy)
@@ -298,6 +298,7 @@

     def _set_protocol(self):
         self._request.ws_protocol = None
+        self._request.sts = None

         protocol_header = self._request.headers_in.get(
             common.SEC_WEBSOCKET_PROTOCOL_HEADER)
@@ -398,6 +399,9 @@
             response.append(format_header(
                 common.SEC_WEBSOCKET_EXTENSIONS_HEADER,
                 common.format_extensions(self._request.ws_extensions)))
+        if self._request.sts is not None:
+            response.append(format_header("Strict-Transport-Security",
+                                          self._request.sts))
         response.append('\r\n')

         return ''.join(response)

Original issue reported on code.google.com by k0Sc...@gmail.com on 26 Dec 2012 at 11:44

Attachments:

GoogleCodeExporter commented 9 years ago
I.e. this is just a way for a pywebsocket reply handler to indicate if it wants 
the Strict-Transport-Security header set.  We'd be fine with a more structured 
approach if this is too hacky.

Original comment by jduell.m...@gmail.com on 8 Jan 2013 at 1:19

GoogleCodeExporter commented 9 years ago
Sorry for delay. I'll add an API to allow handlers to add non WebSocket 
specific headers in the extra handshake callback.

Original comment by tyoshino@chromium.org on 25 Jan 2013 at 6:29

GoogleCodeExporter commented 9 years ago
Done. Please push the header and value you want to send back to the client to 
request.extra_headers as a pair during extra handshake.

See example/hsts_wsh.py for reference. Thanks

Original comment by tyoshino@chromium.org on 1 Feb 2013 at 7:11