SlideShare a Scribd company logo

HTTP Potpourri

Kevin Hakanson, profile picture
Kevin Hakanson

The document is a presentation by Kevin Hakanson at the Twin Cities Code Camp focusing on the importance of understanding various HTTP methods, headers, and status codes for developing scalable web applications. It covers practical examples and best practices using ASP.NET MVC, AJAX, and includes discussions on custom headers, encoding, and file uploads. The presentation aims to enhance web developers' proficiency in constructing well-structured RESTful APIs.

Technology
1 of 75
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
HTTP Potpourri Kevin Hakanson Twin Cities Code Camp 12 14-15 April 2012
Are You In The Right Place? ● This talk: ○ Embracing HTTP is an important property of well constructed ReSTful and web apis. Every web developer is familiar with GET and POST, 200 and 404, Accept and Content-Type; but what about 207 and 413, OPTIONS and PROPFIND, Transfer-Encoding and X-File-Size? This session will be based on usage of various HTTP methods, headers and status codes drawn from the development of large scale, web applications. Examples will include raw HTTP, mixed in with JavaScript and ASP.NET MVC code. ● This speaker: ○ Kevin Hakanson is an application architect for Thomson Reuters where he is focused on highly scalable web applications. His background includes both .NET and Java, but he is most nostalgic about Lotus Notes. He has been developing professionally since 1994 and holds a Master’s degree in Software Engineering. When not staring at a computer screen, he is probably staring at another screen, either watching TV or playing video games with his family.
Kevin Hakanson @hakanson #tccc12 kevin.hakanson@gmail.com github.com/hakanson stackoverflow.com/users/22514/kevin-hakanson
What to Expect ● define:potpourri ○ "A collection of various things; an assortment, mixed bag or motley" - Wiktionary ● "Based on a True Story" ○ derived from production code from large scale, web app ○ combined with stackoverflow questions ○ and a mix of web tutorials ● Combination of informational slides with highlights, screenshots, code samples and HTTP snippets ● Attempts at humor ● Questions (OK during presentation)
Tools and Technologies ● IE 10, Chrome 17, Firefox 11 ● Fiddler, Wireshark ● curl (Git Bash) ● Windows 8 Consumer Preview ● Visual Studio 11 (beta) ● ASP.NET MVC 4 ● Squid ● Alt + PrtScr; Paint.NET ● memegenerator.net ● live co-worker audience
HTTP Potpourri
Methods ● RFC 2616, Section 9 defines these "methods" (the word "verb" does not appear in http://www.ietf.org/rfc/rfc2616.txt) ○ OPTIONS, GET, HEAD, PUT, POST, DELETE, TRACE, CONNECT ● Only GET and POST work with <form method=""> ● Everything allowed with AJAX ● Sometimes you need X-HTTP-Method-Override ○ http://stackoverflow.com/questions/467535/is-it-possible-to-implement-x-httpmethod-override-in-asp-net-mvc ○ <%=Html.HttpMethodOverride(HttpVerbs.Delete) %> ○ <input name="X-HTTP-Method-Override" type="hidden" value="DELETE" />
Headers ● HTTP header fields, which include http://www.w3.org/Protocols/rfc2616/rfc2616.html ○ general-header (section 4.5) ○ request-header (section 5.3) ○ response-header (section 6.2) ○ entity-header (section 7.1) ● Permanent Message Header Field Names ○ http://www.iana.org/assignments/message-headers/permheaders.html
Headers ● "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire fieldvalue for that header field is defined as a comma-separated list [i.e., #(values)]" ● The following are equivalent Field-Name: field-value Field-Name: field-value2 Field-Name: field-value1,field-value2
Headers - Browser Request Defaults GET http://localhost:4952/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: localhost:4952 GET http://localhost:4952/ HTTP/1.1 Host: localhost:4952 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate, sdch Accept-Language: en-US, en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 GET http://localhost:4952/ HTTP/1.1 Host: localhost:4952 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:11.0) Gecko/20100101 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us, en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Firefox/11.0
Headers - Case Insensitive ● Field names are case-insensitive. ○ http://stackoverflow.com/questions/1130297/in-ie-the-x-requested-withheader-of-jquery-becomes-x-requested-with-lower function doXHR() { var request = new XMLHttpRequest(); request.open('GET', '/header/header.txt'); request.setRequestHeader('x-lowercase', 'X-lowercase'); request.setRequestHeader('x-Propercase', 'X-Propercase'); request.setRequestHeader('x-CamelCase', 'X-CamelCase'); request.setRequestHeader('x-UPPERCASE', 'X-UPPERCASE'); request.onreadystatechange = function() { if (request.readyState == 4) { console.log('Received XMLHttpRequest callback: n' + request.responseText); } }; request.send(""); }
Headers - Case Insensitive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618) x-lowercase: X-lowercase x-camelcase: X-CamelCase x-uppercase: X-UPPERCASE x-propercase: X-Propercase User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Safari/528.17 X-Lowercase: X-lowercase X-Uppercase: X-UPPERCASE X-Camelcase: X-CamelCase X-Propercase: X-Propercase User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729) x-lowercase: X-lowercase x-Propercase: X-Propercase x-CamelCase: X-CamelCase x-UPPERCASE: X-UPPERCASE
What's Special About These Headers? Accept-Charset Accept-Encoding Access-Control-Request-Headers Access-Control-Request-Method Connection Content-Length Cookie Cookie2 Content-Transfer-Encoding Date Expect Host Keep-Alive Origin Proxy-* Referer Sec-* TE Trailer Transfer-Encoding Upgrade User-Agent Via
Can't Set with XMLHttpRequest ● Read the spec for setRequestHeader() http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method ● Or look at the WebKit source code http://trac.webkit.org/browser/trunk/Source/WebCore/xml/XMLHttpRequest.cpp? rev=105076 bool XMLHttpRequest::isAllowedHTTPHeader(const String& name) { initializeXMLHttpRequestStaticData(); return !staticData->m_forbiddenRequestHeaders.contains(name) && !name.startsWith(staticData->m_proxyHeaderPrefix, false) && !name.startsWith(staticData->m_secHeaderPrefix, false); }
Encoding and Character Sets ● Accept-Encoding ○ gzip, compress, deflate, identity ● Transfer-Encoding ○ identity, chunked ● 19.4.5 No Content-Transfer-Encoding ○ "HTTP MUST remove any non-identity CTE ("quotedprintable" or "base64") encoding" ● 3.4 Character Sets ○ Note: This use of the term "character set" is more commonly referred to as a "character encoding." However, since HTTP and MIME share the same registry, it is important that the terminology also be shared.
Code
HelloWebAPI ● Let's start with "Your First ASP.NET Web API (C#)" ○ http://www.asp.net/web-api/overview/getting-started-withaspnet-web-api/tutorial-your-first-web-api ● Demo ○ http://localhost:4952/
Fiddler & Transfer-Encoding: gzip
HTTP Potpourri
"Flush the Buffer Early" ● Best Practices for Speeding Up Your Web Site ○ http://developer.yahoo.com/performance/rules.html ● In ViewsShared_Layout.cshtml, add Response.Flush </head> @{ Response.Buffer = true; Response.Flush(); } <body> @RenderBody() </body> </html>
IE10 & Transfer-Encoding: chunked Looks good to me...
Fiddler & Transfer-Encoding: chunked however, 0x781 = 1921
"Flush the Buffer" and .aspx this.HttpContext.Response.Buffer = true; </head> <% HttpContext.Current.Response.Flush(); %> <body> chunked utf-8 gzip 296 a3 0
IIS / ASP.NET Custom Headers ● What are these? ○ X-AspNetMvc-Version ○ X-AspNet-Version ○ X-SourceFiles ○ X-Powered-By ● How do I remove, since I "trust no one"?
HTTP Potpourri
X- Fields ● Go by various names, referred to ○ as x-token in the BNF of RFC 2045 ○ as user-defined ("X-") in section 5 of RFC 2047 ○ as Experimental headers in section 4.2.2.1 of the News Article Format draft http://stackoverflow.com/questions/1810915/is-safe-touse-x-header-in-a-http-response ● Deprecating Use of the "X-" Prefix in Application Protocols (draft 03; January 27, 2012) http://tools.ietf.org/html/draft-saintandre-xdash-03 ○ "deprecates the "X-" convention for most application protocols by making specific recommendations"
X-AspNetMvc-Version: 4.0 ● To remove this header, in the Application_Start() of Global.asax.cs add: ○ MvcHandler.DisableMvcResponseHeader = true; ● http://stackoverflow.com/questions/3418557/how-to-removeasp-net-mvc-default-http-headers/3418574#3418574
X-AspNet-Version: 4.0.30319 ● To remove this header, in Web.config, add: <system.web> <httpRuntime enableVersionHeader="false" /> </system.web> ● http://stackoverflow.com/questions/3418557/how-to-removeasp-net-mvc-default-http-headers/3418574#3418574
X-Powered-By: ASP.NET ● To remove this header, in Web.config add: <system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> </system.webServer>
X-SourceFiles ● http://stackoverflow.com/questions/4851684/what-does-thex-sourcefiles-header-do ● X-SourceFiles: =?UTF-8?B? YzpcdXNlcnNcZGV2ZWxvcGVyXGRvY3VtZW50c1x2aXN1Y Wwgc3R1ZGlvIDExXFByb2plY3RzXEhlbGxvV2ViQVBJXE hlbGxvV2ViQVBJ?= ● Decodes to: ○ c:usersdeveloperdocumentsvisual studio 11ProjectsHelloWebAPIHelloWebAPI ● encoded-word (http://tools.ietf.org/html/rfc1342) ○ "=" "?" charset "?" encoding "?" encoded-text "?" "=" ○ encoding either "B" (Base64) or "Q" (Quoted Printable)
Header Limits? ● IIS has several limits http://stackoverflow.com/questions/1097651/is-there-apractical-http-header-length-limit ● Http.sys registry settings for IIS http://support.microsoft.com/kb/820129 ○ MaxFieldLength is "upper limit for each header" ○ MaxRequestBytes is "upper limit for the total size of the Request line and the headers" ● Header Limits <headerLimits> http://www.iis.net/ConfigReference/system. webServer/security/requestFiltering/requestLimits/headerLim its ○ limit the length of a specific header <add header="Content-type" sizeLimit="100" />
This Slide Intentionally Left Blank
File Upload ● jQuery File Upload Plugin ○ "Files can be uploaded as standard "multipart/form-data" or file contents stream (HTTP PUT file upload)." ○ https://github.com/blueimp/jQuery-File-Upload <input id="fileupload" type="file" name="files[]" dataurl="/Logo/Upload" multiple> $('#fileupload').fileupload({});
RFC 2388 multipart message POST http://localhost:4952/Logo/Upload HTTP/1.1 Host: localhost:4952 Connection: keep-alive Content-Length: 17860 Origin: http://localhost:4952 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryV7HK5HxBBDfYoirj Accept: application/json, text/javascript, */*; q=0.01 Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 ------WebKitFormBoundaryV7HK5HxBBDfYoirj Content-Disposition: form-data; name="files[]"; filename="logo.png" Content-Type: image/png �PNG ��� ------WebKitFormBoundaryV7HK5HxBBDfYoirj--
$('#id').fileupload({multipart:false}) POST http://localhost:4952/Logo/Upload HTTP/1.1 Host: localhost:4952 Connection: keep-alive Content-Length: 17662 Origin: http://localhost:4952 X-File-Size: 17662 X-Requested-With: XMLHttpRequest X-File-Name: logo.png User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Content-Type: image/png Accept: application/json, text/javascript, */*; q=0.01 X-File-Type: image/png Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Page Load GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Content-Encoding: gzip ETag: dada50d251fa1ac5c4b25961f87671dd Vary: Accept-Encoding Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 19:58:03 GMT Content-Length: 25973
Etag and 304 ● Use MD5 hash of data to generate Etag value ● Compare MD5 hash against If-None-Match to return 304 String hash = logoInfo.Etag; if (hash.Equals(Request.Headers["If-None-Match"])) { Response.StatusCode = 304; } else { Response.ContentType = logoInfo.ContentType; Response.Headers["Etag"] = hash; logoInfo.Stream.Position = 0; logoInfo.Stream.CopyTo(Response.OutputStream); }
F5 Reload GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 If-None-Match: dada50d251fa1ac5c4b25961f87671dd Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 304 Not Modified Cache-Control: private Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 19:58:39 GMT
Ctrl + F5 Reload GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Content-Encoding: gzip ETag: dada50d251fa1ac5c4b25961f87671dd Vary: Accept-Encoding Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 20:00:38 GMT Content-Length: 25973
Cache Headers ● Set Cache-Control: public,max-age=X with <clientCache> http://www.iis.net/ConfigReference/system.webServer/staticContent/clientCache ● Clear Etag needs URL Rewrite Module 2.0 installed http://stackoverflow.com/questions/7947420/iis-7-5-remove-etag-headers-fromresponse <system.webServer> <staticContent> <clientCache cacheControlCustom="public" cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" /> </staticContent> <rewrite> <outboundRules> <rule name="Remove ETag"> <match serverVariable="RESPONSE_ETag" pattern=".+" /> <action type="Rewrite" value="" /> </rule> </outboundRules> </rewrite> </system.webServer>
Squid Proxy ● Squid 2.7 for Windows (http://squid.acmeconsulting.it/) ● squid.conf ○ http_access allow localhost ● Set proxy as localhost:3128 then see additional response headers Proxy-Connection: keep-alive Via: 1.1 U0038137-W8A:3128 (squid/2.7.STABLE8) X-Cache: MISS from U0038137-W8A X-Cache-Lookup: MISS from U0038137-W8A:3128
PURGE ● Purge and object from Squid cache ○ http://wiki.squid-cache.org/SquidFaq/OperatingSquid ● squid.conf ○ acl PURGE method PURGE ○ http_access allow PURGE localhost ○ http_access deny PURGE ● squidclient -m PURGE <url> ● curl --request PURGE --proxy localhost:3128 <url>
WebDAV ● "extension to the HTTP/1.1 protocol that allows clients to perform remote web content authoring operations" ● Leveraged existing HTTP Methods ○ GET, HEAD, POST, DELETE, PUT ● Defined new HTTP Methods ○ PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK ● New Status Codes ○ 102 Processing, 207 Multi-Status, 422 Unprocessable Entity, 423 Locked, 424 Failed Dependency, 507 Insufficient Storage
curl - transfer a url ● Installed on Windows if you have Git Bash ○ http://curl.haxx.se/docs/manpage.html ● Some options --compressed --data-binary <data> -F, --form <name=content> -H, --header <header> --limit-rate <speed> -o, --output <file> -T, --upload-file <file> -x, --proxy <[protocol://][user@password]proxyhost[:port]> -X, --request <command>
WebDAV - PROPFIND Request $ curl --proxy localhost:8888 --request PROPFIND http://localhost:4952/Logo/Download PROPFIND http://localhost:4952/Logo/Download HTTP/1.1 User-Agent: curl/7.21.1 (i686-pc-mingw32) libcurl/7.21.1 OpenSSL/0.9.8r zlib/1.2.3 Host: localhost:4952 Accept: */* Connection: Keep-Alive
WebDAV - PROPFIND Response HTTP/1.1 207 Multi-Status Cache-Control: private Content-Type: text/xml Server: Microsoft-IIS/7.5 Date: Sat, 07 Apr 2012 20:53:01 GMT Content-Length: 532 <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://localhost:4952/Logo/Download</D:href> <D:propstat> <D:prop> <D:status>HTTP/1.1 200 OK</D:status> <D:getcontenttype>image/png</D:getcontenttype> <D:getlastmodfiied>Sat, 07 Apr 2012 20:45:05 GMT</D:getlastmodfiied> <D:getetag>dada50d251fa1ac5c4b25961f87671dd</D:getetag> <D:creationdate>Sat, 07 Apr 2012 20:45:05 GMT</D:creationdate> </D:prop> </D:propstat> </D:response> </D:multistatus>
public ActionResult Propfind() [ActionName("Download")] [AcceptVerbs("PROPFIND")] public ActionResult Propfind() { Response.StatusCode = 207; Response.ContentType = "text/xml"; Response.Charset = null; ViewBag.ContentType = logoInfo.ContentType; ViewBag.Date = logoInfo.Date; ViewBag.Etag = logoInfo.Etag; return PartialView("Propfind"); }
Propfind.cshtml <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>@Request.Url</D:href> <D:propstat> <D:prop> <D:status>HTTP/1.1 200 OK</D:status> <D:getcontenttype>@ViewBag.ContentType</D:getcontenttype> <D:getlastmodfiied> @ViewBag.Date.ToUniversalTime().ToString("r") </D:getlastmodfiied> <D:getetag>@ViewBag.Etag</D:getetag> <D:creationdate> @ViewBag.Date.ToUniversalTime().ToString("r") </D:creationdate> </D:prop> </D:propstat> </D:response> </D:multistatus>
Browser Security
X-Frame-Options ● Combating ClickJacking With X-Frame-Options ○ http://blogs.msdn. com/b/ieinternals/archive/2010/03/30/combatingclickjacking-with-x-frame-options.aspx ● Browser Support: ○ IE8+, Safari 4+, Chrome 4+, Firefox 3.6.9+ ○ Test at http://www.enhanceie.com/test/clickjack/ ● Value may be one of ○ DENY - block rendering if within a frame ○ SAMEORIGIN - block rendering if top leve browsing context is different ○ ALLOW-FROM origin - block rendering origin value if different
HTTP Strict Transport Security ● Allows a site to request that it always be contacted over HTTPS. ○ http://dev.chromium.org/sts ● Supported in Google Chrome, Firefox 4. ● Remembers that for the given number of seconds, that the current domain should only be contacted over HTTPS ● Spec ○ http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-06 ● Example Response Header Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Cross-Origin Resource Sharing ● a.k.a. CORS http://www.w3.org/TR/cors/ ● Implementing CORS support in ASP.NET Web APIs ○ http://blogs.msdn. com/b/carlosfigueira/archive/2012/02/21/implementing-corssupport-in-asp-net-web-apis-take-2.aspx ● Request Headers ○ Origin ○ Access-Control-Request-Method ○ Access-Control-Request-Headers ● Response Headers ○ Access-Control-Allow-Origin ○ Access-Control-Allow-Credentials ○ Access-Control-Expose-Headers ○ Access-Control-Max-Age ○ Access-Control-Allow-Methods ○ Access-Control-Allow-Headers
CORS Preflight Request/Response OPTIONS http://localhost:4952/api/Values/ HTTP/1.1 Host: localhost:4952 Connection: keep-alive Access-Control-Request-Method: POST Origin: http://localhost:7147 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Access-Control-Request-Headers: Origin, Content-Type, Accept Accept: */* Referer: http://localhost:7147/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Methods: POST Access-Control-Allow-Headers: Origin, Content-Type, Accept Access-Control-Allow-Origin: http://localhost:7147 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 28 Mar 2012 17:38:00 GMT Content-Length: 0
Demo http://localhost:7147/
HTTP Potpourri
Cross-Site Request Forgery (CSRF) ● How to use ASP.NET MVC anti-forgery helpers with web apis? ● Started with "Preventing CSRF with Ajax" http://haacked.com/archive/2011/10/10/preventing-csrf-withajax.aspx ● Used the "ASP.NET MVC 3 RTM Source Code" to peek into the inner workings of AntiForgery https://aspnet.codeplex.com/releases/view/58781
Modifications ● Controller code var inputTag = AntiForgery.GetHtml(this.HttpContext, null, null, null).ToString(); var tokenValue = Regex.Match(inputTag, "value="(.*)"").Groups[1].Value; ViewBag.RequestVerificationToken = tokenValue; ● View code $.ajaxPrefilter(function (options, originalOptions, jqXHR) { if (!options.headers) options.headers = {}; options.headers["__RequestVerificationToken"] = "@ViewBag.RequestVerificationToken"; }); ● validation not working yet, because: ○ System.Web.Http.Filters.FilterAttribute != System.Web. Mvc.FilterAttribute
CSRF GET http://localhost:4952/api/products/ HTTP/1.1 __RequestVerificationToken: q592rxZ1san7NwORzH0SkHp8rpIYB9IDgosSIt+/hB4hVsKUB/xsfCfsiqdStnHZ459xX+mM8VKL+IUP1CDM8jcoKv5L a1l4XszC5tz6FiIY2lVXZ+CaYytbjV2o+I0wJHyLvrpgjyzGwHHErwVv4jgDG3khJr1ibRGGJicFlWw= Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Referer: http://localhost:4952/ Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; Media Center PC 6.0; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) Host: localhost:4952 Connection: Keep-Alive Cookie: __RequestVerificationToken_Lw__ =WVJj4wvLfroG56QsHbZHNxhSZBxbsf3nN1FPsBp8AWgyyuKSr19voC8zxwl1 wu1GfI9/uqKcdf03dtVN8Izm+JkDG6/j/zhnKFyYWw8Tiqr88URDO/mOhE8edSY93ZSuALnPYeD/VS1VftEqvKbtSA7B gWxKhRddOrm5Sc9VMjk=
(Near?) Future
WebSockets ● Couldn't get SignalR working with IIS 8 and WebSockets ● Getting started with WebSockets in Windows 8 ○ http://www.paulbatum.com/2011/09/getting-started-withwebsockets-in.html ○ https://github.com/paulbatum/PushFrenzy ● Hard to peek under the covers - RFC 6455: ○ 1.7. Relationship to TCP and HTTP The WebSocket Protocol is an independent TCP-based protocol. Its only relationship to HTTP is that its handshake is interpreted by HTTP servers as an Upgrade request. http://tools.ietf.org/html/rfc6455
WebSockets - PushFrenzy GET http://localhost/PushFrenzy.Web/connect?nickname=IE&gamesize=2 HTTP/1.1 Origin: localhost Sec-WebSocket-Key: 9l4ov6WTcktNZhDxzofNsA== Connection: Upgrade Upgrade: Websocket Sec-WebSocket-Version: 13 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) Host: localhost Cache-Control: no-cache HTTP/1.1 101 Switching Protocols Cache-Control: private Upgrade: Websocket Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 Sec-WebSocket-Accept: 2npInS6ZLafsQdJ4EPNxraKGlpY= Connection: Upgrade X-Powered-By: ASP.NET Date: Tue, 03 Apr 2012 20:40:47 GMT
HTTP Potpourri
http://websocketstest.com/
WebSockets - Fiddler ● Glimpse of the future: Fiddler and HTML5 WebSockets ○ http://blogs.msdn.com/b/fiddler/archive/2011/11/22/fiddlerand-websockets.aspx ● Single Request/Response entry ● Most data appears in Log tab ● Look for these bytes in upcoming slides ○ 81 0A 63 6F 6E 6E 65 63 74 65 64 2C
WebSockets - Fiddler GET http://ws.websocketstest.com/service HTTP/1.1 Upgrade: websocket Connection: Upgrade Host: ws.websocketstest.com Origin: http://websocketstest.com Sec-WebSocket-Key: a05pbM96VhcorGnOP29sOw== Sec-WebSocket-Version: 13 Cookie: __utma=245398530. 78459945.1333486200.1333486200.1333486200.1; __utmb=245398530. 7.10.1333486200; __utmc=245398530; __utmz=245398530.1333486200.1.1. utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) HTTP/1.1 101 Switching Protocols Upgrade: WebSocket Connection: Upgrade Sec-WebSocket-Accept: dHDHGWWR3k2+1linxGu02hAH/00= EndTime: 16:24:34.380
WebSockets - Fiddler Log Start 16:22:18:9186 Upgrading Session #29 to websocket 16:22:18:9886 [WebSocket #29] Received from server 12 bytes Flags: 10000001 Message Masking: False. Data length: 10 bytes. 81 0A 63 6F 6E 6E 65 63 74 65 64 2C �.connected, 16:22:18:9886 [WebSocket #29] Received from browser 14 bytes Flags: 10000001 Message Masking: True. Data length: 8 bytes. Masking key is: 8C 07 80 8F version, 81 88 8C 07 80 8F FA 62 F2 FC E5 68 EE A3 �ˆŒ.€�úbòüåhî£ 16:22:19:0586 [WebSocket #29] Received from server 23 bytes Flags: 10000001 Message Masking: False. Data length: 21 bytes. 81 15 76 65 72 73 69 6F 6E 2C 68 79 62 69 2D 64 72 61 66 74 2D 31 33 version,hybi-draft-13
WebSockets - Fiddler Log End 16:24:33:5642 [WebSocket #29] Received from server 24 bytes Flags: 10000001 Message Masking: False. Data length: 22 bytes. 81 16 74 69 6D 65 2C 32 30 31 32 2F 34 2F 33 20 32 31 3A 32 32 3A 31 39 �. time,2012/4/3 21:22:19 16:24:34:3802 [WebSocket #29] OnClientReceive from browser failed; ret=0
WebSockets - Wireshark Capture ● Wireshark notes that this HTTP does not seem right ○ "Continuation or non-HTTP traffic"
WebSockets - Wireshark Capture 16:22:18:9186 Upgrading Session #29 to websocket 16:22:18:9886 [WebSocket #29] Received from server 12 bytes Flags: 10000001 Message Masking: False. Data length: 10 bytes. 81 0A 63 6F 6E 6E 65 63 74 65 64 2C connected,
WebSockets - Wireshark Capture
SPDY ● An experimental protocol for a faster web ○ http://dev.chromium.org/spdy/spdy-whitepaper ○ "application-layer protocol for transporting content over the web, designed specifically for minimal latency" ○ "TCP is the generic, reliable transport protocol, providing guaranteed delivery, duplicate suppression, in-order delivery, flow control, congestion avoidance and other transport features." ○ "HTTP is the application level protocol providing basic request/response semantics." ○ "adds a session layer atop of SSL that allows for multiple concurrent, interleaved streams over a single TCP connection"
SPDY - Request Changes ● First line of the request is unfolded into name/value pairs like other HTTP headers ● Duplicate header names are not allowed ● Header names are all lowercase ● The Connection and Keep-Alive headers are no longer valid and are ignored if present ● Clients assumed to support Accept-Encoding: gzip ● HTTP request headers are compressed with gzip encoding ● The "host" header is ignored as the host:port portion of the HTTP URL is the definitive host ● Content-length is only advisory for length (so that progress meters can work) ● Chunked encoding is no longer valid.
SPDY - Response Changes ● The response status line is unfolded into name/value pairs like other HTTP headers ● All header names must be lowercase ● The Connection and Keep-alive response headers are no longer valid ● Content-length is only advisory for length ● Chunked encoding is no longer valid ● Duplicate header names are not allowed
SPDY - Tools and Debugging ● New protocol = new debugging tools ○ Chrome about:net-internals
Questions? (and, please evaluate http://tccc.agilevent.com/)

More Related Content

PDF
Internationalize your JavaScript Application: Prepare for "the next billion" ...
Kevin Hakanson
 
PDF
WP 4.7 & React — A perfect marriage?
Plastical
 
PDF
The Hitchhiker's Guide to Faster Builds. Viktor Kirilov. CoreHard Spring 2019
corehard_by
 
PDF
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScript
JSFestUA
 
PPTX
C++ CoreHard Autumn 2018. Создание пакетов для открытых библиотек через conan...
corehard_by
 
PDF
Crystal internals (part 1)
Ary Borenszweig
 
PDF
PHP and Application Security - OWASP Road Show 2013
rjsmelo
 
PPTX
JSX Optimizer
Kazuho Oku
 
Internationalize your JavaScript Application: Prepare for "the next billion" ...
Kevin Hakanson
 
WP 4.7 & React — A perfect marriage?
Plastical
 
The Hitchhiker's Guide to Faster Builds. Viktor Kirilov. CoreHard Spring 2019
corehard_by
 
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScript
JSFestUA
 
C++ CoreHard Autumn 2018. Создание пакетов для открытых библиотек через conan...
corehard_by
 
Crystal internals (part 1)
Ary Borenszweig
 
PHP and Application Security - OWASP Road Show 2013
rjsmelo
 
JSX Optimizer
Kazuho Oku
 

What's hot (19)

PPTX
ColdBox i18N
Oğuz Demirkapı
 
PPT
Getting started with Catalyst and extjs
Peter Edwards
 
PPTX
JSX
Kazuho Oku
 
PDF
Building Desktop RIAs With PHP And JavaScript
funkatron
 
PDF
Top 100 PHP Questions and Answers
iimjobs and hirist
 
ODP
Practical catalyst
dwm042
 
PDF
JSX - developing a statically-typed programming language for the Web
Kazuho Oku
 
PDF
CSI (Crash Scene Investigation) HotSpot: Common JVM Crash Causes and Solution...
David Buck
 
PPT
Tech talk webtech
Shehrevar Davierwala
 
PPT
Osp ii presentation
presse_jkp
 
PPT
Css Founder.com | Cssfounder Net
Css Founder
 
ODP
Scripting in OpenOffice.org
Alexandro Colorado
 
PDF
Intro to J Ruby
Frederic Jean
 
PPTX
ZFConf 2012: Реализация доступа к СУБД IBM DB2 посредством встраиваемого SQL ...
ZFConf Conference
 
PPS
PHP - History, Introduction, Summary, Extensions and Frameworks
Royston Olivera
 
PDF
Networked APIs with swift
Tim Burks
 
PDF
DSL's with Groovy
paulbowler
 
PPT
Chowdhury webtech
karan saini
 
PPT
Chowdhury webtech
Microsoft Tech
 
ColdBox i18N
Oğuz Demirkapı
 
Getting started with Catalyst and extjs
Peter Edwards
 
JSX
Kazuho Oku
 
Building Desktop RIAs With PHP And JavaScript
funkatron
 
Top 100 PHP Questions and Answers
iimjobs and hirist
 
Practical catalyst
dwm042
 
JSX - developing a statically-typed programming language for the Web
Kazuho Oku
 
CSI (Crash Scene Investigation) HotSpot: Common JVM Crash Causes and Solution...
David Buck
 
Tech talk webtech
Shehrevar Davierwala
 
Osp ii presentation
presse_jkp
 
Css Founder.com | Cssfounder Net
Css Founder
 
Scripting in OpenOffice.org
Alexandro Colorado
 
Intro to J Ruby
Frederic Jean
 
ZFConf 2012: Реализация доступа к СУБД IBM DB2 посредством встраиваемого SQL ...
ZFConf Conference
 
PHP - History, Introduction, Summary, Extensions and Frameworks
Royston Olivera
 
Networked APIs with swift
Tim Burks
 
DSL's with Groovy
paulbowler
 
Chowdhury webtech
karan saini
 
Chowdhury webtech
Microsoft Tech
 
Ad

Similar to HTTP Potpourri (20)

PPTX
Solving anything in VCL
Fastly
 
PDF
Nodejs and WebSockets
Gonzalo Ayuso
 
PDF
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
Association Paris-Web
 
PDF
Current state-of-php
Richard McIntyre
 
PPTX
Ed presents JSF 2.2 and WebSocket to Gameduell.
Edward Burns
 
PDF
Ten practical ways to improve front-end performance
Andrew Rota
 
PDF
03 form-data
snopteck
 
PPT
Sanjeev ghai 12
Praveen kumar
 
PDF
Web Server and how we can design app in C#
caohansnnuedu
 
PDF
Api Design
sumithra jonnalagadda
 
PPTX
Python And The MySQL X DevAPI - PyCaribbean 2019
Dave Stokes
 
PDF
Cape Cod Web Technology Meetup - 2
Asher Martin
 
PPTX
Basic html5 and javascript
wendy017
 
PPT
Mobile webapplication development
Ganesh Gembali
 
PDF
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
PDF
Mustache
Infinity Levels Studio
 
PDF
Profiling PHP with Xdebug / Webgrind
Sam Keen
 
PDF
Php Inside - confoo 2011 - Derick Rethans
Bachkoutou Toutou
 
PDF
Ditching jQuery Madison
Hao Luo
 
PPTX
PHP conference Berlin 2015: running PHP on Nginx
Harald Zeitlhofer
 
Solving anything in VCL
Fastly
 
Nodejs and WebSockets
Gonzalo Ayuso
 
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
Association Paris-Web
 
Current state-of-php
Richard McIntyre
 
Ed presents JSF 2.2 and WebSocket to Gameduell.
Edward Burns
 
Ten practical ways to improve front-end performance
Andrew Rota
 
03 form-data
snopteck
 
Sanjeev ghai 12
Praveen kumar
 
Web Server and how we can design app in C#
caohansnnuedu
 
Api Design
sumithra jonnalagadda
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Dave Stokes
 
Cape Cod Web Technology Meetup - 2
Asher Martin
 
Basic html5 and javascript
wendy017
 
Mobile webapplication development
Ganesh Gembali
 
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
Mustache
Infinity Levels Studio
 
Profiling PHP with Xdebug / Webgrind
Sam Keen
 
Php Inside - confoo 2011 - Derick Rethans
Bachkoutou Toutou
 
Ditching jQuery Madison
Hao Luo
 
PHP conference Berlin 2015: running PHP on Nginx
Harald Zeitlhofer
 
Ad

More from Kevin Hakanson (10)

PDF
Sharpen your "Architectural Documentation" Saw
Kevin Hakanson
 
PDF
Who's in your Cloud? Cloud State Monitoring
Kevin Hakanson
 
PDF
Adopting Multi-Cloud Services with Confidence
Kevin Hakanson
 
PDF
Introduction to Speech Interfaces for Web Applications
Kevin Hakanson
 
PDF
Learning to Mod Minecraft: A Father/Daughter Retrospective
Kevin Hakanson
 
PDF
ng-owasp: OWASP Top 10 for AngularJS Applications
Kevin Hakanson
 
PDF
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
PDF
Make your own Print & Play card game using SVG and JavaScript
Kevin Hakanson
 
PDF
Implementing Messaging Patterns in JavaScript using the OpenAjax Hub
Kevin Hakanson
 
PDF
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
Sharpen your "Architectural Documentation" Saw
Kevin Hakanson
 
Who's in your Cloud? Cloud State Monitoring
Kevin Hakanson
 
Adopting Multi-Cloud Services with Confidence
Kevin Hakanson
 
Introduction to Speech Interfaces for Web Applications
Kevin Hakanson
 
Learning to Mod Minecraft: A Father/Daughter Retrospective
Kevin Hakanson
 
ng-owasp: OWASP Top 10 for AngularJS Applications
Kevin Hakanson
 
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
Make your own Print & Play card game using SVG and JavaScript
Kevin Hakanson
 
Implementing Messaging Patterns in JavaScript using the OpenAjax Hub
Kevin Hakanson
 
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 

Recently uploaded (20)

PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Approach and Philosophy of On baking technology
30anthuong17
 
Cloud computing and distributed systems.
kkkkkhan
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 

HTTP Potpourri

  • 1. HTTP Potpourri Kevin Hakanson Twin Cities Code Camp 12 14-15 April 2012
  • 2. Are You In The Right Place? ● This talk: ○ Embracing HTTP is an important property of well constructed ReSTful and web apis. Every web developer is familiar with GET and POST, 200 and 404, Accept and Content-Type; but what about 207 and 413, OPTIONS and PROPFIND, Transfer-Encoding and X-File-Size? This session will be based on usage of various HTTP methods, headers and status codes drawn from the development of large scale, web applications. Examples will include raw HTTP, mixed in with JavaScript and ASP.NET MVC code. ● This speaker: ○ Kevin Hakanson is an application architect for Thomson Reuters where he is focused on highly scalable web applications. His background includes both .NET and Java, but he is most nostalgic about Lotus Notes. He has been developing professionally since 1994 and holds a Master’s degree in Software Engineering. When not staring at a computer screen, he is probably staring at another screen, either watching TV or playing video games with his family.
  • 4. What to Expect ● define:potpourri ○ "A collection of various things; an assortment, mixed bag or motley" - Wiktionary ● "Based on a True Story" ○ derived from production code from large scale, web app ○ combined with stackoverflow questions ○ and a mix of web tutorials ● Combination of informational slides with highlights, screenshots, code samples and HTTP snippets ● Attempts at humor ● Questions (OK during presentation)
  • 5. Tools and Technologies ● IE 10, Chrome 17, Firefox 11 ● Fiddler, Wireshark ● curl (Git Bash) ● Windows 8 Consumer Preview ● Visual Studio 11 (beta) ● ASP.NET MVC 4 ● Squid ● Alt + PrtScr; Paint.NET ● memegenerator.net ● live co-worker audience
  • 7. Methods ● RFC 2616, Section 9 defines these "methods" (the word "verb" does not appear in http://www.ietf.org/rfc/rfc2616.txt) ○ OPTIONS, GET, HEAD, PUT, POST, DELETE, TRACE, CONNECT ● Only GET and POST work with <form method=""> ● Everything allowed with AJAX ● Sometimes you need X-HTTP-Method-Override ○ http://stackoverflow.com/questions/467535/is-it-possible-to-implement-x-httpmethod-override-in-asp-net-mvc ○ <%=Html.HttpMethodOverride(HttpVerbs.Delete) %> ○ <input name="X-HTTP-Method-Override" type="hidden" value="DELETE" />
  • 8. Headers ● HTTP header fields, which include http://www.w3.org/Protocols/rfc2616/rfc2616.html ○ general-header (section 4.5) ○ request-header (section 5.3) ○ response-header (section 6.2) ○ entity-header (section 7.1) ● Permanent Message Header Field Names ○ http://www.iana.org/assignments/message-headers/permheaders.html
  • 9. Headers ● "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire fieldvalue for that header field is defined as a comma-separated list [i.e., #(values)]" ● The following are equivalent Field-Name: field-value Field-Name: field-value2 Field-Name: field-value1,field-value2
  • 10. Headers - Browser Request Defaults GET http://localhost:4952/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: localhost:4952 GET http://localhost:4952/ HTTP/1.1 Host: localhost:4952 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate, sdch Accept-Language: en-US, en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 GET http://localhost:4952/ HTTP/1.1 Host: localhost:4952 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:11.0) Gecko/20100101 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us, en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Firefox/11.0
  • 11. Headers - Case Insensitive ● Field names are case-insensitive. ○ http://stackoverflow.com/questions/1130297/in-ie-the-x-requested-withheader-of-jquery-becomes-x-requested-with-lower function doXHR() { var request = new XMLHttpRequest(); request.open('GET', '/header/header.txt'); request.setRequestHeader('x-lowercase', 'X-lowercase'); request.setRequestHeader('x-Propercase', 'X-Propercase'); request.setRequestHeader('x-CamelCase', 'X-CamelCase'); request.setRequestHeader('x-UPPERCASE', 'X-UPPERCASE'); request.onreadystatechange = function() { if (request.readyState == 4) { console.log('Received XMLHttpRequest callback: n' + request.responseText); } }; request.send(""); }
  • 12. Headers - Case Insensitive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618) x-lowercase: X-lowercase x-camelcase: X-CamelCase x-uppercase: X-UPPERCASE x-propercase: X-Propercase User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Safari/528.17 X-Lowercase: X-lowercase X-Uppercase: X-UPPERCASE X-Camelcase: X-CamelCase X-Propercase: X-Propercase User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729) x-lowercase: X-lowercase x-Propercase: X-Propercase x-CamelCase: X-CamelCase x-UPPERCASE: X-UPPERCASE
  • 13. What's Special About These Headers? Accept-Charset Accept-Encoding Access-Control-Request-Headers Access-Control-Request-Method Connection Content-Length Cookie Cookie2 Content-Transfer-Encoding Date Expect Host Keep-Alive Origin Proxy-* Referer Sec-* TE Trailer Transfer-Encoding Upgrade User-Agent Via
  • 14. Can't Set with XMLHttpRequest ● Read the spec for setRequestHeader() http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method ● Or look at the WebKit source code http://trac.webkit.org/browser/trunk/Source/WebCore/xml/XMLHttpRequest.cpp? rev=105076 bool XMLHttpRequest::isAllowedHTTPHeader(const String& name) { initializeXMLHttpRequestStaticData(); return !staticData->m_forbiddenRequestHeaders.contains(name) && !name.startsWith(staticData->m_proxyHeaderPrefix, false) && !name.startsWith(staticData->m_secHeaderPrefix, false); }
  • 15. Encoding and Character Sets ● Accept-Encoding ○ gzip, compress, deflate, identity ● Transfer-Encoding ○ identity, chunked ● 19.4.5 No Content-Transfer-Encoding ○ "HTTP MUST remove any non-identity CTE ("quotedprintable" or "base64") encoding" ● 3.4 Character Sets ○ Note: This use of the term "character set" is more commonly referred to as a "character encoding." However, since HTTP and MIME share the same registry, it is important that the terminology also be shared.
  • 16. Code
  • 17. HelloWebAPI ● Let's start with "Your First ASP.NET Web API (C#)" ○ http://www.asp.net/web-api/overview/getting-started-withaspnet-web-api/tutorial-your-first-web-api ● Demo ○ http://localhost:4952/
  • 20. "Flush the Buffer Early" ● Best Practices for Speeding Up Your Web Site ○ http://developer.yahoo.com/performance/rules.html ● In ViewsShared_Layout.cshtml, add Response.Flush </head> @{ Response.Buffer = true; Response.Flush(); } <body> @RenderBody() </body> </html>
  • 21. IE10 & Transfer-Encoding: chunked Looks good to me...
  • 22. Fiddler & Transfer-Encoding: chunked however, 0x781 = 1921
  • 23. "Flush the Buffer" and .aspx this.HttpContext.Response.Buffer = true; </head> <% HttpContext.Current.Response.Flush(); %> <body> chunked utf-8 gzip 296 a3 0
  • 24. IIS / ASP.NET Custom Headers ● What are these? ○ X-AspNetMvc-Version ○ X-AspNet-Version ○ X-SourceFiles ○ X-Powered-By ● How do I remove, since I "trust no one"?
  • 26. X- Fields ● Go by various names, referred to ○ as x-token in the BNF of RFC 2045 ○ as user-defined ("X-") in section 5 of RFC 2047 ○ as Experimental headers in section 4.2.2.1 of the News Article Format draft http://stackoverflow.com/questions/1810915/is-safe-touse-x-header-in-a-http-response ● Deprecating Use of the "X-" Prefix in Application Protocols (draft 03; January 27, 2012) http://tools.ietf.org/html/draft-saintandre-xdash-03 ○ "deprecates the "X-" convention for most application protocols by making specific recommendations"
  • 27. X-AspNetMvc-Version: 4.0 ● To remove this header, in the Application_Start() of Global.asax.cs add: ○ MvcHandler.DisableMvcResponseHeader = true; ● http://stackoverflow.com/questions/3418557/how-to-removeasp-net-mvc-default-http-headers/3418574#3418574
  • 28. X-AspNet-Version: 4.0.30319 ● To remove this header, in Web.config, add: <system.web> <httpRuntime enableVersionHeader="false" /> </system.web> ● http://stackoverflow.com/questions/3418557/how-to-removeasp-net-mvc-default-http-headers/3418574#3418574
  • 29. X-Powered-By: ASP.NET ● To remove this header, in Web.config add: <system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> </system.webServer>
  • 30. X-SourceFiles ● http://stackoverflow.com/questions/4851684/what-does-thex-sourcefiles-header-do ● X-SourceFiles: =?UTF-8?B? YzpcdXNlcnNcZGV2ZWxvcGVyXGRvY3VtZW50c1x2aXN1Y Wwgc3R1ZGlvIDExXFByb2plY3RzXEhlbGxvV2ViQVBJXE hlbGxvV2ViQVBJ?= ● Decodes to: ○ c:usersdeveloperdocumentsvisual studio 11ProjectsHelloWebAPIHelloWebAPI ● encoded-word (http://tools.ietf.org/html/rfc1342) ○ "=" "?" charset "?" encoding "?" encoded-text "?" "=" ○ encoding either "B" (Base64) or "Q" (Quoted Printable)
  • 31. Header Limits? ● IIS has several limits http://stackoverflow.com/questions/1097651/is-there-apractical-http-header-length-limit ● Http.sys registry settings for IIS http://support.microsoft.com/kb/820129 ○ MaxFieldLength is "upper limit for each header" ○ MaxRequestBytes is "upper limit for the total size of the Request line and the headers" ● Header Limits <headerLimits> http://www.iis.net/ConfigReference/system. webServer/security/requestFiltering/requestLimits/headerLim its ○ limit the length of a specific header <add header="Content-type" sizeLimit="100" />
  • 33. File Upload ● jQuery File Upload Plugin ○ "Files can be uploaded as standard "multipart/form-data" or file contents stream (HTTP PUT file upload)." ○ https://github.com/blueimp/jQuery-File-Upload <input id="fileupload" type="file" name="files[]" dataurl="/Logo/Upload" multiple> $('#fileupload').fileupload({});
  • 34. RFC 2388 multipart message POST http://localhost:4952/Logo/Upload HTTP/1.1 Host: localhost:4952 Connection: keep-alive Content-Length: 17860 Origin: http://localhost:4952 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryV7HK5HxBBDfYoirj Accept: application/json, text/javascript, */*; q=0.01 Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 ------WebKitFormBoundaryV7HK5HxBBDfYoirj Content-Disposition: form-data; name="files[]"; filename="logo.png" Content-Type: image/png �PNG ��� ------WebKitFormBoundaryV7HK5HxBBDfYoirj--
  • 35. $('#id').fileupload({multipart:false}) POST http://localhost:4952/Logo/Upload HTTP/1.1 Host: localhost:4952 Connection: keep-alive Content-Length: 17662 Origin: http://localhost:4952 X-File-Size: 17662 X-Requested-With: XMLHttpRequest X-File-Name: logo.png User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Content-Type: image/png Accept: application/json, text/javascript, */*; q=0.01 X-File-Type: image/png Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
  • 36. Page Load GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Content-Encoding: gzip ETag: dada50d251fa1ac5c4b25961f87671dd Vary: Accept-Encoding Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 19:58:03 GMT Content-Length: 25973
  • 37. Etag and 304 ● Use MD5 hash of data to generate Etag value ● Compare MD5 hash against If-None-Match to return 304 String hash = logoInfo.Etag; if (hash.Equals(Request.Headers["If-None-Match"])) { Response.StatusCode = 304; } else { Response.ContentType = logoInfo.ContentType; Response.Headers["Etag"] = hash; logoInfo.Stream.Position = 0; logoInfo.Stream.CopyTo(Response.OutputStream); }
  • 38. F5 Reload GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 If-None-Match: dada50d251fa1ac5c4b25961f87671dd Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 304 Not Modified Cache-Control: private Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 19:58:39 GMT
  • 39. Ctrl + F5 Reload GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Content-Encoding: gzip ETag: dada50d251fa1ac5c4b25961f87671dd Vary: Accept-Encoding Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 20:00:38 GMT Content-Length: 25973
  • 40. Cache Headers ● Set Cache-Control: public,max-age=X with <clientCache> http://www.iis.net/ConfigReference/system.webServer/staticContent/clientCache ● Clear Etag needs URL Rewrite Module 2.0 installed http://stackoverflow.com/questions/7947420/iis-7-5-remove-etag-headers-fromresponse <system.webServer> <staticContent> <clientCache cacheControlCustom="public" cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" /> </staticContent> <rewrite> <outboundRules> <rule name="Remove ETag"> <match serverVariable="RESPONSE_ETag" pattern=".+" /> <action type="Rewrite" value="" /> </rule> </outboundRules> </rewrite> </system.webServer>
  • 41. Squid Proxy ● Squid 2.7 for Windows (http://squid.acmeconsulting.it/) ● squid.conf ○ http_access allow localhost ● Set proxy as localhost:3128 then see additional response headers Proxy-Connection: keep-alive Via: 1.1 U0038137-W8A:3128 (squid/2.7.STABLE8) X-Cache: MISS from U0038137-W8A X-Cache-Lookup: MISS from U0038137-W8A:3128
  • 42. PURGE ● Purge and object from Squid cache ○ http://wiki.squid-cache.org/SquidFaq/OperatingSquid ● squid.conf ○ acl PURGE method PURGE ○ http_access allow PURGE localhost ○ http_access deny PURGE ● squidclient -m PURGE <url> ● curl --request PURGE --proxy localhost:3128 <url>
  • 43. WebDAV ● "extension to the HTTP/1.1 protocol that allows clients to perform remote web content authoring operations" ● Leveraged existing HTTP Methods ○ GET, HEAD, POST, DELETE, PUT ● Defined new HTTP Methods ○ PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK ● New Status Codes ○ 102 Processing, 207 Multi-Status, 422 Unprocessable Entity, 423 Locked, 424 Failed Dependency, 507 Insufficient Storage
  • 44. curl - transfer a url ● Installed on Windows if you have Git Bash ○ http://curl.haxx.se/docs/manpage.html ● Some options --compressed --data-binary <data> -F, --form <name=content> -H, --header <header> --limit-rate <speed> -o, --output <file> -T, --upload-file <file> -x, --proxy <[protocol://][user@password]proxyhost[:port]> -X, --request <command>
  • 45. WebDAV - PROPFIND Request $ curl --proxy localhost:8888 --request PROPFIND http://localhost:4952/Logo/Download PROPFIND http://localhost:4952/Logo/Download HTTP/1.1 User-Agent: curl/7.21.1 (i686-pc-mingw32) libcurl/7.21.1 OpenSSL/0.9.8r zlib/1.2.3 Host: localhost:4952 Accept: */* Connection: Keep-Alive
  • 46. WebDAV - PROPFIND Response HTTP/1.1 207 Multi-Status Cache-Control: private Content-Type: text/xml Server: Microsoft-IIS/7.5 Date: Sat, 07 Apr 2012 20:53:01 GMT Content-Length: 532 <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://localhost:4952/Logo/Download</D:href> <D:propstat> <D:prop> <D:status>HTTP/1.1 200 OK</D:status> <D:getcontenttype>image/png</D:getcontenttype> <D:getlastmodfiied>Sat, 07 Apr 2012 20:45:05 GMT</D:getlastmodfiied> <D:getetag>dada50d251fa1ac5c4b25961f87671dd</D:getetag> <D:creationdate>Sat, 07 Apr 2012 20:45:05 GMT</D:creationdate> </D:prop> </D:propstat> </D:response> </D:multistatus>
  • 47. public ActionResult Propfind() [ActionName("Download")] [AcceptVerbs("PROPFIND")] public ActionResult Propfind() { Response.StatusCode = 207; Response.ContentType = "text/xml"; Response.Charset = null; ViewBag.ContentType = logoInfo.ContentType; ViewBag.Date = logoInfo.Date; ViewBag.Etag = logoInfo.Etag; return PartialView("Propfind"); }
  • 48. Propfind.cshtml <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>@Request.Url</D:href> <D:propstat> <D:prop> <D:status>HTTP/1.1 200 OK</D:status> <D:getcontenttype>@ViewBag.ContentType</D:getcontenttype> <D:getlastmodfiied> @ViewBag.Date.ToUniversalTime().ToString("r") </D:getlastmodfiied> <D:getetag>@ViewBag.Etag</D:getetag> <D:creationdate> @ViewBag.Date.ToUniversalTime().ToString("r") </D:creationdate> </D:prop> </D:propstat> </D:response> </D:multistatus>
  • 50. X-Frame-Options ● Combating ClickJacking With X-Frame-Options ○ http://blogs.msdn. com/b/ieinternals/archive/2010/03/30/combatingclickjacking-with-x-frame-options.aspx ● Browser Support: ○ IE8+, Safari 4+, Chrome 4+, Firefox 3.6.9+ ○ Test at http://www.enhanceie.com/test/clickjack/ ● Value may be one of ○ DENY - block rendering if within a frame ○ SAMEORIGIN - block rendering if top leve browsing context is different ○ ALLOW-FROM origin - block rendering origin value if different
  • 51. HTTP Strict Transport Security ● Allows a site to request that it always be contacted over HTTPS. ○ http://dev.chromium.org/sts ● Supported in Google Chrome, Firefox 4. ● Remembers that for the given number of seconds, that the current domain should only be contacted over HTTPS ● Spec ○ http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-06 ● Example Response Header Strict-Transport-Security: max-age=15768000 ; includeSubDomains
  • 52. Cross-Origin Resource Sharing ● a.k.a. CORS http://www.w3.org/TR/cors/ ● Implementing CORS support in ASP.NET Web APIs ○ http://blogs.msdn. com/b/carlosfigueira/archive/2012/02/21/implementing-corssupport-in-asp-net-web-apis-take-2.aspx ● Request Headers ○ Origin ○ Access-Control-Request-Method ○ Access-Control-Request-Headers ● Response Headers ○ Access-Control-Allow-Origin ○ Access-Control-Allow-Credentials ○ Access-Control-Expose-Headers ○ Access-Control-Max-Age ○ Access-Control-Allow-Methods ○ Access-Control-Allow-Headers
  • 53. CORS Preflight Request/Response OPTIONS http://localhost:4952/api/Values/ HTTP/1.1 Host: localhost:4952 Connection: keep-alive Access-Control-Request-Method: POST Origin: http://localhost:7147 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Access-Control-Request-Headers: Origin, Content-Type, Accept Accept: */* Referer: http://localhost:7147/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Methods: POST Access-Control-Allow-Headers: Origin, Content-Type, Accept Access-Control-Allow-Origin: http://localhost:7147 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 28 Mar 2012 17:38:00 GMT Content-Length: 0
  • 56. Cross-Site Request Forgery (CSRF) ● How to use ASP.NET MVC anti-forgery helpers with web apis? ● Started with "Preventing CSRF with Ajax" http://haacked.com/archive/2011/10/10/preventing-csrf-withajax.aspx ● Used the "ASP.NET MVC 3 RTM Source Code" to peek into the inner workings of AntiForgery https://aspnet.codeplex.com/releases/view/58781
  • 57. Modifications ● Controller code var inputTag = AntiForgery.GetHtml(this.HttpContext, null, null, null).ToString(); var tokenValue = Regex.Match(inputTag, "value="(.*)"").Groups[1].Value; ViewBag.RequestVerificationToken = tokenValue; ● View code $.ajaxPrefilter(function (options, originalOptions, jqXHR) { if (!options.headers) options.headers = {}; options.headers["__RequestVerificationToken"] = "@ViewBag.RequestVerificationToken"; }); ● validation not working yet, because: ○ System.Web.Http.Filters.FilterAttribute != System.Web. Mvc.FilterAttribute
  • 58. CSRF GET http://localhost:4952/api/products/ HTTP/1.1 __RequestVerificationToken: q592rxZ1san7NwORzH0SkHp8rpIYB9IDgosSIt+/hB4hVsKUB/xsfCfsiqdStnHZ459xX+mM8VKL+IUP1CDM8jcoKv5L a1l4XszC5tz6FiIY2lVXZ+CaYytbjV2o+I0wJHyLvrpgjyzGwHHErwVv4jgDG3khJr1ibRGGJicFlWw= Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Referer: http://localhost:4952/ Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; Media Center PC 6.0; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) Host: localhost:4952 Connection: Keep-Alive Cookie: __RequestVerificationToken_Lw__ =WVJj4wvLfroG56QsHbZHNxhSZBxbsf3nN1FPsBp8AWgyyuKSr19voC8zxwl1 wu1GfI9/uqKcdf03dtVN8Izm+JkDG6/j/zhnKFyYWw8Tiqr88URDO/mOhE8edSY93ZSuALnPYeD/VS1VftEqvKbtSA7B gWxKhRddOrm5Sc9VMjk=
  • 60. WebSockets ● Couldn't get SignalR working with IIS 8 and WebSockets ● Getting started with WebSockets in Windows 8 ○ http://www.paulbatum.com/2011/09/getting-started-withwebsockets-in.html ○ https://github.com/paulbatum/PushFrenzy ● Hard to peek under the covers - RFC 6455: ○ 1.7. Relationship to TCP and HTTP The WebSocket Protocol is an independent TCP-based protocol. Its only relationship to HTTP is that its handshake is interpreted by HTTP servers as an Upgrade request. http://tools.ietf.org/html/rfc6455
  • 61. WebSockets - PushFrenzy GET http://localhost/PushFrenzy.Web/connect?nickname=IE&gamesize=2 HTTP/1.1 Origin: localhost Sec-WebSocket-Key: 9l4ov6WTcktNZhDxzofNsA== Connection: Upgrade Upgrade: Websocket Sec-WebSocket-Version: 13 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) Host: localhost Cache-Control: no-cache HTTP/1.1 101 Switching Protocols Cache-Control: private Upgrade: Websocket Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 Sec-WebSocket-Accept: 2npInS6ZLafsQdJ4EPNxraKGlpY= Connection: Upgrade X-Powered-By: ASP.NET Date: Tue, 03 Apr 2012 20:40:47 GMT
  • 64. WebSockets - Fiddler ● Glimpse of the future: Fiddler and HTML5 WebSockets ○ http://blogs.msdn.com/b/fiddler/archive/2011/11/22/fiddlerand-websockets.aspx ● Single Request/Response entry ● Most data appears in Log tab ● Look for these bytes in upcoming slides ○ 81 0A 63 6F 6E 6E 65 63 74 65 64 2C
  • 65. WebSockets - Fiddler GET http://ws.websocketstest.com/service HTTP/1.1 Upgrade: websocket Connection: Upgrade Host: ws.websocketstest.com Origin: http://websocketstest.com Sec-WebSocket-Key: a05pbM96VhcorGnOP29sOw== Sec-WebSocket-Version: 13 Cookie: __utma=245398530. 78459945.1333486200.1333486200.1333486200.1; __utmb=245398530. 7.10.1333486200; __utmc=245398530; __utmz=245398530.1333486200.1.1. utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) HTTP/1.1 101 Switching Protocols Upgrade: WebSocket Connection: Upgrade Sec-WebSocket-Accept: dHDHGWWR3k2+1linxGu02hAH/00= EndTime: 16:24:34.380
  • 66. WebSockets - Fiddler Log Start 16:22:18:9186 Upgrading Session #29 to websocket 16:22:18:9886 [WebSocket #29] Received from server 12 bytes Flags: 10000001 Message Masking: False. Data length: 10 bytes. 81 0A 63 6F 6E 6E 65 63 74 65 64 2C �.connected, 16:22:18:9886 [WebSocket #29] Received from browser 14 bytes Flags: 10000001 Message Masking: True. Data length: 8 bytes. Masking key is: 8C 07 80 8F version, 81 88 8C 07 80 8F FA 62 F2 FC E5 68 EE A3 �ˆŒ.€�úbòüåhî£ 16:22:19:0586 [WebSocket #29] Received from server 23 bytes Flags: 10000001 Message Masking: False. Data length: 21 bytes. 81 15 76 65 72 73 69 6F 6E 2C 68 79 62 69 2D 64 72 61 66 74 2D 31 33 version,hybi-draft-13
  • 67. WebSockets - Fiddler Log End 16:24:33:5642 [WebSocket #29] Received from server 24 bytes Flags: 10000001 Message Masking: False. Data length: 22 bytes. 81 16 74 69 6D 65 2C 32 30 31 32 2F 34 2F 33 20 32 31 3A 32 32 3A 31 39 �. time,2012/4/3 21:22:19 16:24:34:3802 [WebSocket #29] OnClientReceive from browser failed; ret=0
  • 68. WebSockets - Wireshark Capture ● Wireshark notes that this HTTP does not seem right ○ "Continuation or non-HTTP traffic"
  • 69. WebSockets - Wireshark Capture 16:22:18:9186 Upgrading Session #29 to websocket 16:22:18:9886 [WebSocket #29] Received from server 12 bytes Flags: 10000001 Message Masking: False. Data length: 10 bytes. 81 0A 63 6F 6E 6E 65 63 74 65 64 2C connected,
  • 71. SPDY ● An experimental protocol for a faster web ○ http://dev.chromium.org/spdy/spdy-whitepaper ○ "application-layer protocol for transporting content over the web, designed specifically for minimal latency" ○ "TCP is the generic, reliable transport protocol, providing guaranteed delivery, duplicate suppression, in-order delivery, flow control, congestion avoidance and other transport features." ○ "HTTP is the application level protocol providing basic request/response semantics." ○ "adds a session layer atop of SSL that allows for multiple concurrent, interleaved streams over a single TCP connection"
  • 72. SPDY - Request Changes ● First line of the request is unfolded into name/value pairs like other HTTP headers ● Duplicate header names are not allowed ● Header names are all lowercase ● The Connection and Keep-Alive headers are no longer valid and are ignored if present ● Clients assumed to support Accept-Encoding: gzip ● HTTP request headers are compressed with gzip encoding ● The "host" header is ignored as the host:port portion of the HTTP URL is the definitive host ● Content-length is only advisory for length (so that progress meters can work) ● Chunked encoding is no longer valid.
  • 73. SPDY - Response Changes ● The response status line is unfolded into name/value pairs like other HTTP headers ● All header names must be lowercase ● The Connection and Keep-alive response headers are no longer valid ● Content-length is only advisory for length ● Chunked encoding is no longer valid ● Duplicate header names are not allowed
  • 74. SPDY - Tools and Debugging ● New protocol = new debugging tools ○ Chrome about:net-internals