Presentation is loading. Please wait.

Presentation is loading. Please wait.

Martin Kruliš 30. 4. 2015 by Martin Kruliš (v1.0)1.

Published byMarjory Neal Modified over 9 years ago

Similar presentations

Presentation on theme: "Martin Kruliš 30. 4. 2015 by Martin Kruliš (v1.0)1."— Presentation transcript:

1 Martin Kruliš 30. 4. 2015 by Martin Kruliš (v1.0)1

2  Hyper-Text Transfer Protocol ◦ Simple textual-based protocol ◦ Designed for data retrieval  Also allows data uploads and modification requests ◦ Completely stateless  Each request treated independently  Cookies extension allows limited session management ◦ Client initiated  Server cannot push data to the clients 30. 4. 2015 by Martin Kruliš (v1.0)2

3  Asynchronous JavaScript and XML ◦ A technique that combines three technologies  JavaScript  Asynchronous HTTP client API integrated in browser  XML or other semi-structured data format ◦ Script invokes HTTP transfer and provide callbacks  Both GET and POST requests are supported ◦ The callback is invoked asynchronously  At the conclusion of the HTTP transfer  It may process the returned data (e.g., update the contents of the web page) 30. 4. 2015 by Martin Kruliš (v1.0)3

4  XMLHttpRequest Object var httpReq = new XMLHttpRequest(); httpReq.open("GET", "index.php?ajax=1", true); httpReq.onreadystatechange = function() { if (httpReq.readyState != 4) return; if (httpReq.status == 200) processResponse(httpReq.responseText); else handleError(httpReq.status); } httpReq.send(); 30. 4. 2015 by Martin Kruliš (v1.0)4

5  More Advanced Features ◦ Managing headers  setRequestHeader(), getResponseHeader() ◦ Advanced response representation  Support for array buffers, blobs, and JSON data ◦ Easier way to send request content  Support for blobs  Special FormData API  Assembling a form-like request (including file uploads) ◦ Events  onload, onerror, onabort, ontimeout, onloadend, … 30. 4. 2015 by Martin Kruliš (v1.0)5

6  Same Origin Security Policy ◦ Safety precaution implemented by browsers  AJAX requests must target the same domain ◦ Sometimes accessing other domains is required  Cross-Origin Requests ◦ Browser adds Origin header to the request ◦ If the request is allowed, the server adds header Access-Control-Allow-Origin in response 30. 4. 2015 by Martin Kruliš (v1.0)6

7  Comet 30. 4. 2015 by Martin Kruliš (v1.0)7 Client (Browser) Web Server timeout event Client starts asynchronous HTTP Request Server postpones the response if there is nothing to report After timeout, an empty response is sent Client immediately issues a new request Reportable event occurs Event notification is sent Client processes the event and issues another request …

8  Server Messages ◦ Extension of the idea implemented by Comet ◦ Special protocol  HTTP response with text/event-stream content type  Continuous stream containing separate events data: transmitted data event: custom-event data: data for the custom event ◦ Simple client API var evSource = new EventSource("msg.php"); evtSource.onmessage = function(e) { e.data … } 30. 4. 2015 by Martin Kruliš (v1.0)8 Example 1

9  Extension of HTTP(S) Protocols ◦ Two way communication ◦ Persistent connections ◦ Layered over TCP or SSL/TLS connection  Protocol Properties ◦ Defined in detail in RFC 6455 ◦ Handshake is compatible with HTTP handshake ◦ Simple message-based communication  User can specify custom sub-protocols (i.e., the contents and semantics of the messages) 30. 4. 2015 by Martin Kruliš (v1.0)9

10  Handshake ◦ The connection is initiated by a HTTP request, which is a HTTP-upgrade request GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: http://example.com Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 30. 4. 2015 by Martin Kruliš (v1.0)10 The “upgrade” request Security things WebSocket specific information

11  Handshake ◦ The server may respond by any HTTP-valid code  E.g. 404 if the URI is not valid or by 3xx redirection  It may also include things like auth-tokens, cookies… ◦ Upgrade acceptation looks as follows HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGz... Sec-WebSocket-Protocol: chat 30. 4. 2015 by Martin Kruliš (v1.0)11 Upgrade confirmation Security verification Accepted subprotocol

12  Frame Format 30. 4. 2015 by Martin Kruliš (v1.0)12 Ctrl. bitsOp. Code LengthExtended Length (if length > 125) Payload Data 0481632 Mask Extended Length (if length == 127) Masking Key (if mask == 1) Masking Key (continuation)

13  Frame Format 30. 4. 2015 by Martin Kruliš (v1.0)13 Ctrl. bitsOp. Code LengthExtended Length (if length > 125) Payload Data 0481632 Mask Extended Length (if length == 127) Masking Key (if mask == 1) Masking Key (continuation) Control Bits 0. – Final fragment of a message 1.-3. Reserved (set to 0) Control Bits 0. – Final fragment of a message 1.-3. Reserved (set to 0) Opcode (type of payload) x0 – Continuation frame x1 - Text Frame (UTF8) x2 – Binary Frame x3-x7 – Reserved (non control) x8 – Connection Close x9 – Ping xA – Pong xB-xF – Reserved (control) Opcode (type of payload) x0 – Continuation frame x1 - Text Frame (UTF8) x2 – Binary Frame x3-x7 – Reserved (non control) x8 – Connection Close x9 – Ping xA – Pong xB-xF – Reserved (control)

14  Frame Format 30. 4. 2015 by Martin Kruliš (v1.0)14 Ctrl. bitsOp. Code LengthExtended Length (if length > 125) Payload Data 0481632 Mask Extended Length (if length == 127) Masking Key (if mask == 1) Masking Key (continuation) Whether payload is masked Payload length (in bytes). If length == 126/127, extended 16/64 bit length is used. Payload length (in bytes). If length == 126/127, extended 16/64 bit length is used. Randomly selected 32 bit key used for XOR masking of the payload.

15  Data Frames ◦ Messages may be fragmented  First frame defines the type, other frames are defined as continuation frames  Last frame has the appropriate control bit set ◦ Text messages must be in UTF8, binary messages are interpreted only by the application  Control Frames ◦ Close frame initiates graceful connection shutdown ◦ Ping/pong frames verify the connection is still alive 30. 4. 2015 by Martin Kruliš (v1.0)15

16  Security ◦ The connection may be established on a SSL/TLS channel instead of TCP  In the same way HTTP and HTTPS works ◦ The client sends an origin that refers to a domain from which the client script was downloaded ◦ The server must correctly transform given security key to verify it is really a WebSocket server ◦ The client may use frame masking to defend against a specific cache-poisoning attack  When the attacker constructs frames that look like a HTTP request 30. 4. 2015 by Martin Kruliš (v1.0)16

17  Client Side (JavaScript) ◦ Encapsulated in window.WebSocket object ◦ We can check the functionality by if (!"WebSocket" in window) { // Do plan B; we do not have WebSockets } ◦ A new connection is initiated by constructing new WebSocket object var ws = new WebSocket('ws://domain/', 'proto'); 30. 4. 2015 by Martin Kruliš (v1.0)17

18  WebSocket Object ◦ Properties  readyState – state of the connection (0 – connecting, 1 – connnected, 2 – closing, 3 – closed)  protocol – selected subprotocol  bufferedAmmount – number of bytes buffered by send but not yet transmitted over the network ◦ Methods  send(data) – send a data message (the type of the message is selected by the type of the data object)  close([code, [reason]]) – gracefully terminate the connection 30. 4. 2015 by Martin Kruliš (v1.0)18

19  WebSocket Object ◦ Events  onopen() – when the connection is established  onmessage(e) – reports an incoming message (defragmented) in e.data field (string for text and Blob or ArrayBuffer for binary messages)  onerror() – if connection was terminated by an error  onclose(e) – when the connection is terminated  e.wasClean – whether the shutdown was graceful  e.code – termination code  e.reason – string with termination reason 30. 4. 2015 by Martin Kruliš (v1.0)19

20  Server Side ◦ Current HTTP servers (e.g., Apache) do not natively support WebSockets  Similar problem as with Comet and Server Events  Applications often use two servers (HTTP and WS) ◦ Alternatives  Standalone application/script that implements HTTP and WS on its own  Specialized solutions like Node.js  Contains ready to use libraries for HTTP and WS which embrace event based programming 30. 4. 2015 by Martin Kruliš (v1.0)20 Example 2

21  Web Real-Time Communication ◦ API for direct p2p communication between browsers ◦ Originally designed for audiovisual data (videophone) 30. 4. 2015 by Martin Kruliš (v1.0)21 Signaling channel (AJAX, WS, …) is required for establishing the connection RTC data are then passed directly or via TURN servers

22  Web RTC API ◦ MediaStream  API that exposes camera or microphone as streams of multimedia data ◦ RTCPeerConnection  Manages the established connection  Multiple channels may be attached ◦ RTCDataChannel  Special channel type for script-managed data transfers  Channel API is based on WebSocket API 30. 4. 2015 by Martin Kruliš (v1.0)22

23 30. 4. 2015 by Martin Kruliš (v1.0)23

Download ppt "Martin Kruliš 30. 4. 2015 by Martin Kruliš (v1.0)1."

Similar presentations

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Rensselaer Polytechnic Institute CSCI-4220 – Network Programming David Goldschmidt, Ph.D.

Rensselaer Polytechnic Institute CSCI-4220 – Network Programming David Goldschmidt, Ph.D.
Hypertext Transfer Protocol Kyle Roth Mark Hoover.

Hypertext Transfer Protocol Kyle Roth Mark Hoover.
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Chapter 6 DOJO TOOLKITS. Objectives Discuss XML DOM Discuss JSON Discuss Ajax Response in XML, HTML, JSON, and Other Data Type.

Chapter 6 DOJO TOOLKITS. Objectives Discuss XML DOM Discuss JSON Discuss Ajax Response in XML, HTML, JSON, and Other Data Type.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Process-to-Process Delivery:

Process-to-Process Delivery:
CIS679: RTP and RTCP r Review of Last Lecture r Streaming from Web Server r RTP and RTCP.

CIS679: RTP and RTCP r Review of Last Lecture r Streaming from Web Server r RTP and RTCP.
Martin Kruliš 14. 5. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
WebSockets [intro].

WebSockets [intro].
Rensselaer Polytechnic Institute CSCI-4220 – Network Programming David Goldschmidt, Ph.D.

Rensselaer Polytechnic Institute CSCI-4220 – Network Programming David Goldschmidt, Ph.D.
Ajax (Asynchronous JavaScript and XML). AJAX  Enable asynchronous communication between a web client and a server.  A client is not blocked when an.

Ajax (Asynchronous JavaScript and XML). AJAX  Enable asynchronous communication between a web client and a server.  A client is not blocked when an.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CSCI 6962: Server-side Design and Programming Introduction to AJAX.

CSCI 6962: Server-side Design and Programming Introduction to AJAX.

Similar presentations

Ads by Google