Return-Path: 
 <callback-dev-return-2842-apmail-incubator-callback-dev-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-callback-dev-archive@minotaur.apache.org
Delivered-To: apmail-incubator-callback-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C75279D83
	for <apmail-incubator-callback-dev-archive@minotaur.apache.org>;
 Thu,  1 Mar 2012 06:12:30 +0000 (UTC)
Received: (qmail 49459 invoked by uid 500); 1 Mar 2012 06:12:30 -0000
Delivered-To: apmail-incubator-callback-dev-archive@incubator.apache.org
Received: (qmail 49248 invoked by uid 500); 1 Mar 2012 06:12:27 -0000
Mailing-List: contact callback-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:callback-dev-help@incubator.apache.org>
List-Unsubscribe: <mailto:callback-dev-unsubscribe@incubator.apache.org>
List-Post: <mailto:callback-dev@incubator.apache.org>
List-Id: <callback-dev.incubator.apache.org>
Reply-To: callback-dev@incubator.apache.org
Delivered-To: mailing list callback-dev@incubator.apache.org
Received: (qmail 49217 invoked by uid 99); 1 Mar 2012 06:12:26 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Mar 2012 06:12:26 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of marlin.mixon@gmail.com
 designates 209.85.214.47 as permitted sender)
Received: from [209.85.214.47] (HELO mail-bk0-f47.google.com) (209.85.214.47)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Mar 2012 06:12:21 +0000
Received: by bkcjg15 with SMTP id jg15so166924bkc.6
        for <callback-dev@incubator.apache.org>;
 Wed, 29 Feb 2012 22:12:01 -0800 (PST)
Received-SPF: pass (google.com: domain of marlin.mixon@gmail.com designates
 10.204.150.78 as permitted sender) client-ip=10.204.150.78;
Authentication-Results: mr.google.com;
 spf=pass (google.com: domain of marlin.mixon@gmail.com designates
 10.204.150.78 as permitted sender) smtp.mail=marlin.mixon@gmail.com;
 dkim=pass header.i=marlin.mixon@gmail.com
Received: from mr.google.com ([10.204.150.78])
        by 10.204.150.78 with SMTP id x14mr1833035bkv.114.1330582321159
 (num_hops = 1);
        Wed, 29 Feb 2012 22:12:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=LAzn8AKOgI9BzzuLRU7DBE8XnXfHV2sARLt8S0GTjKQ=;
        b=eZ6kji0k0p36EVoQrayQZtermcBD8IACmtoeuHld0kUlLVDcLDvb4InAqjVj+KyYbk
         UePTMPh2JZaEnxFZUskFgFAUSle3o56roetOoC/rv9yL7cu+kLqRRtKdojX7/ZL+miZP
         22MFlxkLhAqXXvx286Qa5OLGEJFvyf4H+SoDg=
MIME-Version: 1.0
Received: by 10.204.150.78 with SMTP id x14mr1477213bkv.114.1330582321002;
 Wed, 29 Feb 2012 22:12:01 -0800 (PST)
Received: by 10.205.141.198 with HTTP; Wed, 29 Feb 2012 22:12:00 -0800 (PST)
In-Reply-To: 
 <CAMT1KGNqSv6CnwGyXhWukND8S040yYckS=qr3U3ie83vFrM5-w@mail.gmail.com>
References: 
 <CAJDfrWMwLYrzsUKadawf4G9tFGcgFJsu09r1npRpoKBREx0J7A@mail.gmail.com>
	<CB7392C4.B96%fil@adobe.com>
	<CAMT1KGNqSv6CnwGyXhWukND8S040yYckS=qr3U3ie83vFrM5-w@mail.gmail.com>
Date: Thu, 1 Mar 2012 00:12:00 -0600
Message-ID: 
 <CAJDfrWP9A1bqoD_7eY4UrWjQ3N5pL1VPe+O+RMAWTZbnqh_RHw@mail.gmail.com>
Subject: Re: Greetings plus discussion of WebSockets for Android
From: Marlin Mixon <marlin.mixon@gmail.com>
To: callback-dev@incubator.apache.org
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Checked: Checked by ClamAV on apache.org

A quick update on WebSocket: It looks like the latest WebSocket spec
(RFC 6455) addresses the security issues.  The current PhoneGap branch
that is a year old contains WebSocket.java that only offers the  the
older insecure Draft 75 and Draft 76 WebSocket protocols. I did some
searching around and found the original source of WebSocket.java.  The
author is Nathan Rajlich and it so happens that his Java-WebSocket
project is being actively developed.  The project is at
http://java-websocket.org/ and the repository is here
git://github.com/TooTallNate/Java-WebSocket   I've reviewed the code
and this newer version has WebSocket protocol options for not only the
original Drafts 75 and 76 but also Hybi 10 and Hybi 17.  Hybi 17 is
identical to the protocol defined by RFC 6455 which was released in
December 2011.  I'm checking with Nate to see if he sees any problems
with using his code (currently licensed under MIT)

So what that means is if we incorporate Java-WebSocket into Cordova
Android it should be pretty straightforward and the security issues
should then be resolved.


On Wed, Feb 29, 2012 at 3:25 PM, Bryce Curtis <curtis.bryce@gmail.com> wrote:
> The issue is discussed http://davidwalsh.name/websocket-security and
> http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool-for.html
> .
>
> It has been fixed in the latest spec (
> http://tools.ietf.org/html/rfc6455#page-50), so it's a matter of using a
> client/server that is compliant.
>
> On Wed, Feb 29, 2012 at 10:31 AM, Filip Maj <fil@adobe.com> wrote:
>