-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Current status? #35
Comments
The project is partially implemented and still intended to go ahead, but is on hold awaiting a more-secure context than is currently available. Work is happening on that front but I don't have an ETA for you, sorry. |
Ok. The reason I ask is that I'm currently looking at designing and implementing an overhauled, modernized socket API in Node.js with an eye towards implementing that also in Workers and potentially Deno also. It would be ideal to collaborate on a combined spec but I do have some fairly significant design differences from what's captured in this spec currently. It would definitely be ideal if we could collaborate, especially if there is intent to ship support in browsers. |
Reopening just so other people can see this instead of starting new issues. We do still intend to get this shipped eventually, but I don't really expect it to happen in 2021. If you have other feedback on the API, please do file issues about it so we can track it when we come back to this . |
Can I try it now in Chromium? With some command line arguments? |
I believe you can test it using the Update: Also set cross-origin HTTP headers as mentioned by yume-chan |
I figured it out.
For all versions, the page must also have |
@yume-chan Did it work for you? whenever I try this in canary version I get "You are using unsupported command line flag: --restricted-api-origins...". |
Yes, just tested on version 99.0.4778.0 (Official Build) canary (x86_64). |
restricted-api-origins was added in M99. Before M99 it shouldn't be needed |
Tried but I can't see the proper methods in 'navigator', am I missing something? |
Did you add those two headers? |
Ok just working after adding the headers. |
It seems that "openTCPSocket()" not added to Navigator yet. I use "google chrome 100.0.4860.0 (Official Build) canary (64 bit) (cohort: Clang-64) ".
How can I use "openTCPSocket()"? |
Thank you for your answer. |
think it seems very hard to try to enable and test out this new features in chrome. can't get openTCPSocket to show up... |
this api is very useful especially working with printer port 9100 if it would be possible to work on the local intranet without any restrictions and permissions it would be really great |
The requirements have changed in mid-March (not sure exact version number). Now it needs:
Then |
forcing the user to have to install the app in order to use the service feels a tiny bit reluctant I don't like installing PWA apps as an desktop application... all it really is, is a web site. So it feels a tiny bit pointless to have to install something when you can just bookmark it and surf to it via a simple web address... this installed PWA apps don't really give you a hole lot of benefits over what a traditional website with a bit of service worker are able to provide to you. How many PWA apps have you installed as a desktop app? me = 0 |
Just giving feedback -- I'm not an expert on browsers like you all. But I second that having to install an app kind of kills this proposal. If it's not as frictionless as the web then it won't be competitive and I believe this API could really improve the web. There are naysayers that are saying it could be too harmful. But you can say the same thing about XSS already. A basic XSS vulnerability in a banking website can already be used to transfer funds. There are obviously impacts of having socket access, but I believe they can be mitigated. Some suggestions:
Resource control:Mozilla wrote here = mozilla/standards-positions#431. Mozilla raised a good point about local resources. Since local addresses are relative to the network you're on specifying them in a white list could give incorrect access to your own local network resources. I think this would be a good place to prompt for a permission dialogue. In the past, you would only allow access to such resources if they were running as 'trusted' application installed / downloaded to the host. Discussion: Do we consider access to local network resources to be such an insurmountable risk that we disable this completely for first release of the API? Is a dialogue box 'good enough.' Keep in mind there are many, many use-cases for local resource access. It's particularly bad because the browser is behind the NAT with full network viability -- but this is also a huge advantage for developers. The explainer suggests having an IP entered manually in a field. This is a good idea, albeit not very user-friendly. Could allow port to be editable. Could also have a list of banners to check for. Entering IPs and such should not be required for remote connections. Peer-to-peer:I think P2P presents one of the most innovative and exciting uses of this API and should be a supported focus. But doing this would require extending the API to add a listen method.
Other thoughts:I personally don't think we should worry about throttling the traffic of the sockets. But you could build a traffic policy into the HTTP header if you liked. There are ways to do networking that use 'idle bandwidth' or are more 'respectful' of resources (e.g. LEDBAT.) As for repeat connections -- this does seem sketchy but plenty of legitimate network tools would be making many network connections. I think it should be up to the developer to control this and we shouldn't assume bad faith on the part of the website. In the end there is no cure for simple web attacks and social engineering. A social engineer can still make a website and do a lot more damage than flooding some traffic over the Internet. Besides -- you can already do these attacks anyway with iframes and ajax, right? So I don't really see what sense it would make limiting connection count or neutering this fledgling API. |
443 is already blocked.
DDoS is not possible because opening sockets requires transient activation and connect frequency is already limited.
P2P is not possible because Direct Sockets doesn't provide socket server, only client. Direct Sockets are designed for connecting to legacy system which can't be converted to Web services. P2P is already possible with WebRTC, for example there is https://github.com/webtorrent/webtorrent. WebRTC also provides hole-punching out-of-box.
Direct Sockets in IFrames are controlled by
Domain names resolve to local IP addresses are already blocked to mitigate DNS rebind attack.
I don't know if anyone from Chrome team is looking at this issue. So https://bugs.chromium.org/p/chromium/issues/detail?id=1206150 might be a better place to post your thoughts. |
Ping. Any status update? Will this spec go forward? |
This work is still paused. The "more-secure context than is currently available" it was waiting on is under active development (https://chromestatus.com/feature/5146307550248960). We will probably reconsider the priority of this work once that is done. |
I'm still watching this with great interest and do think it could radically change the web as a delivery platform. |
People interested in playing with the API now can see #46 (comment). |
What is the current status of this proposal? Is there still an intent on moving it forward?
The text was updated successfully, but these errors were encountered: