1

Topic: BSD sockets in API browsers

Here it was suddenly thought. And in what the problem, actually, consists to have functions for operation with TCP / UDP sockets in API browsers? Any security reasons? Yes, I know that is WebSockets, but nevertheless.

2

Re: BSD sockets in API browsers

Hello, b0r3d0m, you wrote: B> Here it was suddenly thought. B> and in what the problem, actually, consists to have functions for operation with TCP / UDP sockets in API browsers? Any security reasons? B> Yes, I know that is WebSockets, but nevertheless. As usual: good thinking comes  + thought http suffices all and for all.

3

Re: BSD sockets in API browsers

S> As usual: good thinking comes  + thought http suffices all and for only. Truly, transited  time. So why after such kol-va time all the same decided to invent absolutely new standard (WebSockets) instead of adding already checked up by time BSD Sockets? Well, they are convenient, I do not argue, but a lot of time for their standardization and implementation in browsers was required. It seems to me, with BSD Sockets it would be slightly easier.

4

Re: BSD sockets in API browsers

Hello, b0r3d0m, you wrote: S>> As usual: good thinking comes  + thought http suffices all and for only. B> it is true, transited  time. So why after such kol-va time all the same decided to invent absolutely new standard (WebSockets) instead of adding already checked up by time BSD Sockets? Well, they are convenient, I do not argue, but a lot of time for their standardization and implementation in browsers was required. It seems to me, with BSD Sockets it would be slightly easier. About BSD Sockets I will not tell (most likely , and all is told by it), and actually what difference if web sockets became already actually became a standard part, . http 2.0.

5

Re: BSD sockets in API browsers

Hello, b0r3d0m, you wrote: B> And in what the problem, actually, consists to have functions for operation with TCP / UDP sockets in API browsers? Any security reasons? Now js can do http requests only to the domain (https://en.wikipedia.org/wiki/Same-origin_policy) if the page does request to foreign domain js cannot receive results of request. Still is mandatory there will be problems with web proxy, therefore the same a web sockets work atop http (s). In general, BSD sockets - huge  in safety, present that you came on a page, on a page js which can connect generally to everything, sees all that is in your network through your local multicast dns and transfers it to a site or somewhere else. In general, a question the extremely naive. Such will be never.

6

Re: BSD sockets in API browsers

CK> Now js can do http requests only to the domain (https://en.wikipedia.org/wiki/Same-origin_policy) And it is fine, start up only to the domain and would resolve. CK> in general, BSD sockets - huge  in safety, present that you came on a page, on a page js which can connect generally to everything, sees all that is in your network through your local multicast dns and transfers it to a site or somewhere else In what a problem to restrict it at browser level? Roughly speaking, to forbid all calls out of the same domain.

7

Re: BSD sockets in API browsers

Hello, chaotic-kotik, you wrote: CK> Now js can do http requests only to the domain (https://en.wikipedia.org/wiki/Same-origin_policy) if the page does request to foreign domain js cannot receive results of request. It is connected by that at HTTP-inquiries go .> Still is mandatory there will be problems with web proxy, therefore the same a web sockets work atop http (s). Well at whom a proxy, at that and a problem. Some proxies allow  the arbitrary connections.> in general, BSD sockets - huge  in safety In what ?> present that you came on a page, on a page js which can connect generally to everything, sees all that is in your network through your local multicast dns and transfers it to a site or somewhere else. In general, a question the extremely naive. Such will be never. Connections on local IP addresses can be forbidden, it is reasonable. And in what a problem of connections on exterior addresses?

8

Re: BSD sockets in API browsers

vsb> Connections on local IP addresses can be forbidden, it is reasonable. And in what a problem of connections on exterior addresses? Any vulnerability of type "implementation javascript", instantly transforms visitors of any site in big  for which it is possible ,  advertizing,  attendance, etc.

9

Re: BSD sockets in API browsers

Hello, hi_octane, you wrote: vsb>> Connections on local IP addresses can be forbidden, it is reasonable. And in what a problem of connections on exterior addresses? _> any vulnerability of type "implementation javascript", instantly transforms visitors of any site in big  for which it is possible ,  advertizing, , etc. It and now it is possible to do attendance. You add a tag <img src = "http://rsdn.ru/"/> on any lenta.ru and you receive . And advertizing  it is possible, and POST to do. It is impossible to read only the answer from such request. But  it does not hinder.

10

Re: BSD sockets in API browsers

Hello, vsb, you wrote:>> present that you came on a page, on a page js which can connect generally to everything, sees all that is in your network through your local multicast dns and transfers it to a site or somewhere else. In general, a question the extremely naive. Such will be never. vsb> Connections on local IP addresses can be forbidden, it is reasonable. And in what a problem of connections on exterior addresses? 1. At IP addresses are not present host name (in understanding http)-> same-origin policy the hosting of several sites on one IP goes wood, as well as. 2. Who is such "exterior addresses"? For example hosts in mine LAN - exterior? Nodes accessible through VPN - exterior? Whence you know what routing at me and who and on what masks gets to what interface. 3. (Well and even more) we Admit that my real IP the address is in the white list on an exterior host. It in turn simply gives the chance  on a host through telnet/ssh/whatever. Thus now to it already can  a bot. Instead of whatever substitute for example  dev or that too can be -  service. It is necessary?

11

Re: BSD sockets in API browsers

Hello, fddima, you wrote:>>> present that you came on a page, on a page js which can connect generally to everything, sees all that is in your network through your local multicast dns and transfers it to a site or somewhere else. In general, a question the extremely naive. Such will be never. vsb>> Connections on local IP addresses can be forbidden, it is reasonable. And in what a problem of connections on exterior addresses? F> 1. At IP addresses are not present host name (in understanding http)-> same-origin policy the hosting of several sites on one IP goes wood, as well as. Understood Nothing. It is possible more in detail. I did not suggest to restrict connection by an initial site. Certainly any site can connect to any exterior IP address. F> 2. Who is such "exterior addresses"? For example hosts in mine LAN - exterior? Nodes accessible through VPN - exterior? Whence you know what routing at me and who and on what masks gets to what interface. These are internal. The remaining exterior. Your routing interests nobody. F> 3. (Well and even more) we Admit that my real IP the address is in the white list on an exterior host. It in turn simply gives the chance  on a host through telnet/ssh/whatever. Thus now to it already can  a bot. Instead of whatever substitute for example  dev or that too can be -  service. It is necessary? A far-fetched problem. You want to restrict - put normal protection. Your description it not protection, and a farce.

12

Re: BSD sockets in API browsers

Hello, chaotic-kotik, you wrote: CK> Now js can do http requests only to the domain (https://en.wikipedia.org/wiki/Same-origin_policy) if the page does request to foreign domain js cannot receive results of request. Still is mandatory there will be problems with web proxy, therefore the same a web sockets work atop http (s). In general, BSD sockets - huge  in safety, present that you came on a page, on a page js which can connect generally to everything, sees all that is in your network through your local multicast dns and transfers it to a site or somewhere else. In general, a question the extremely naive. Such will be never. Wake up, you already  - through web pages it is possible to crack local routers, etc. https://en.wikipedia.org/wiki/Cross-sit … st_forgery Customers of a bank in Mexico were attacked in early 2008 with an image tag in email. The link in the image tag changed the DNS entry for the bank in their ADSL router to point to a malicious website impersonating the bank

13

Re: BSD sockets in API browsers

Hello, vsb, you wrote: F>> 1. At IP addresses are not present host name (in understanding http)-> same-origin policy the hosting of several sites on one IP goes wood, as well as. vsb> understood Nothing. It is possible more in detail. I did not suggest to restrict connection by an initial site. Certainly any site can connect to any exterior IP address. The virtual hosting. At me on one IP - 3 web of application hangs. Sockets without selection of ports certainly transparently it not can are is banal inconveniently. There where sockets are really necessary - people simply do applications on sockets. WebSockets suffices a head for JS/sites as all kitchen of serialization of messages is already implemented and hidden, and it is not necessary to puzzle. F>> 2. Who is such "exterior addresses"? For example hosts in mine LAN - exterior? Nodes accessible through VPN - exterior? Whence you know what routing at me and who and on what masks gets to what interface. vsb> it is internal. The remaining exterior. Your routing interests nobody. Correctly, my routing - mine - therefore nothing sites to climb on any IP to addresses, - who from them who - he all the same does not know, but potentially can incorporate to those nodes with whom does not follow. F>> 3. (Well and even more) we Admit that my real IP the address is in the white list on an exterior host. It in turn simply gives the chance  on a host through telnet/ssh/whatever. Thus now to it already can  a bot. Instead of whatever substitute for example  dev or that too can be -  service. It is necessary? vsb> the Far-fetched problem. You want to restrict - put normal protection. Your description it not protection, and a farce. These are quite normal rules. Password Presence/absence here is minor. In a local network the manager can have  direct access on LAN - and banal connections work for it, when at other users of a network - are not present. Thus simply arbitrary code about which presence at visiting of a site you at all do not know - starts to make any connections. Crookedly or not is too other question. Such do and it is frequent.

14

Re: BSD sockets in API browsers

Hello, fddima, you wrote: F>>> 1. At IP addresses are not present host name (in understanding http)-> same-origin policy the hosting of several sites on one IP goes wood, as well as. vsb>> understood Nothing. It is possible more in detail. I did not suggest to restrict connection by an initial site. Certainly any site can connect to any exterior IP address. F> the virtual hosting. At me on one IP - 3 web of application hangs. Sockets without selection of ports certainly transparently it not can are is banal inconveniently. There where sockets are really necessary - people simply do applications on sockets. WebSockets suffices a head for JS/sites as all kitchen of serialization of messages is already implemented and hidden, and it is not necessary to puzzle. It became clearer to me not why same-origin policy or the hosting of several sites goes wood from this feature. Where are really necessary - to make sockets of anything it is impossible. Try to make the torrent-client on JavaScript, working in the browser and connecting on the standard torrent-report to other clients. F>>> 2. Who is such "exterior addresses"? For example hosts in mine LAN - exterior? Nodes accessible through VPN - exterior? Whence you know what routing at me and who and on what masks gets to what interface. vsb>> it is internal. The remaining exterior. Your routing interests nobody. F> it is correct, my routing - mine - therefore nothing sites to climb on any IP to addresses, - who from them who - he all the same does not know, but potentially can incorporate to those nodes with whom does not follow. At 99.999 % of users routing corresponds to standards and this problem is not present. Was specific you can to disconnect or compile such feature the browser without it. It not argument to restrict a functional. F> it is quite normal rules. Password Presence/absence here is minor. In a local network the manager can have  direct access on LAN - and banal connections work for it, when at other users of a network - are not present. Thus simply arbitrary code about which presence at visiting of a site you at all do not know - starts to make any connections. Crookedly or not is too other question. Such do and it is frequent. LAN it is internal addresses. To restrict access to them it is possible, problems are not present. If you in LAN use public addresses, a problem here is explicit not in the browser.

15

Re: BSD sockets in API browsers

Hello, vsb, you wrote: Laziness to argue. As a whole for God's sake, but what for it is necessary - not clearly. The same  the client on  - already demands access to . JS -  not fast. And generally the web browser now - a sandbox what any, sockets  without  means. They simply end with one simple cycle on the client. Moreover for a proxy does not walk. It is easier to fasten AJAX + Long Polling, WebSockets rather than to fence something that is initially doomed to a dip in a web. Besides websockets as the protocol a little than restricts you, in sense - binary messages - please, two-directivity, etc. Same the same application-oriented socket, but already with ready frames/messages and if I do not confuse multiplexing. For client a web of applications just it, but is not restricted to it. In chrome for example remote debugging protocol (devtools) just on web sockets also it is constructed, the choice is quite clear. Thus in-proc uses the same messages, but by websocket transport.  still it is necessary? In a web? ?! Suffices nonsense to toil.

16

Re: BSD sockets in API browsers

Hello, fddima, you wrote: F> JS -  not fast. A C ++ compiled in JS faster analog on C# almost twice - link the Author: Evgeny. Panasyuk Date: 07.06.15.

17

Re: BSD sockets in API browsers

Hello, vsb, you wrote: vsb> it became clearer to me not why same-origin policy or the hosting of several sites goes wood from this feature. Where are really necessary - to make sockets of anything it is impossible. Try to make the torrent-client on JavaScript, working in the browser and connecting on the standard torrent-report to other clients. Incomparably more difficult thing, than the torrent-report - for a long time made. WebRTC for video and audio, p2p. Yes, it does not work without the intermediary, but also  to start operation it is required certain exterior .

18

Re: BSD sockets in API browsers

Hello, Evgeny. Panasyuk, you wrote: F>> JS -  not fast. EP> a C ++ compiled in JS faster analog on C# almost twice - link the Author: Evgeny. Panasyuk Date: 07.06.15. That subject read somehow long and tiresomely. Good results in certain cases - not an index in itself. There is heap JS of the code which puts cancer JS optimizers. All of them grow and grow, but as soon as you will get on fair   or scanning of a chain of prototypes - miracles  sharply and painfully end. In last V8 truth it it is possible also chews. Besides the poor type system does not allow to work normally with many data. Certainly, to write/compile in  the code (I mean no-purpose applications of all typified arrays and other constructions) it it is good, but on former not everywhere all is applicable. If JS/V8/other work faster a normal C ++ the code, most likely a problem in a C ++ the code.

19

Re: BSD sockets in API browsers

Hello, fddima, you wrote: F> There is heap JS of the code which puts cancer JS optimizers. All of them grow and grow, but as soon as you will get on fair   or scanning of a chain of prototypes - miracles  sharply and painfully end. It all is not necessary in case of usage JS in quality "" VM (which it is generated at C compilation ++-> JS) - and such  is very fast (asm.js). It I to that JS it is possible to consider as a VM/platform instead of as language for immediate writing of the code manually - and in this case resultant application can be very fast. F> if JS/V8/other work faster a normal C ++ the code, most likely a problem in a C ++ the code. I told that it faster similar C# the code, instead of a C ++.

20

Re: BSD sockets in API browsers

Hello, Evgeny. Panasyuk, you wrote: EP> It all is not necessary in case of usage JS in quality "" VM (which it is generated at C compilation ++-> JS) - and such  is very fast (asm.js). V8 about asm.js like as continues nothing the nobility about asm.js. And works well enough and without. But, here I agree. EP> It I to that JS it is possible to consider as a VM/platform instead of as language for immediate writing of the code manually - and in this case resultant application can be very fast. Here - again yes, you are right. At the same time V8 (I worked only with it), not such ideal and it is not assured in what pours out  (we considered it already?) . Not all one  and as it will conduct itself(himself) - I do not know. Plus, chrome explicitly gathers with PGO . As far as I know only it gives a gain in V8 on 10-20 %, the data old. I to that the piece licked enough-> yields more good results than on the average on chamber. Though to speak about JS as about JS VM to me it not seems correct. In sense nevertheless in a web - while probably it is more executed the code .:D But I look at it a little on another: the banal page (we about a web) is a horse-radish knows that. 20-30 frames from ads, heaps of chaotic switching-on and the most intricate usages, here to you and any mysterious setInterval fn 100ms where fn through jquery selects fantastic selectors. And timers such - pieces 30 and them nobody . I as obliges often analyze pages, therefore saw enough everyone. I am assured that at you on page of such nonsense would not be. But if we implement the stranger iframe - we already have chances of that us interrupt on the timer for unknown time. I am faster in this sense. . However, that is strange - works. Well and for ... There at all I do not know pure or not pure i/o bound. uTorrent at me downloading for the speed 10MBps percents almost does not eat. On the modern computer all quickly. And you get for the machine more feeblly - brakes are notable everywhere, and  in browsers do not seem good idea. Generally browsers seem worthless idea. Though both get warm - and are good again. EP> I told that it faster similar C# the code, instead of a C ++.  to me. , late - blunted.

21

Re: BSD sockets in API browsers

Hello, Glory, you wrote: vsb>> it became clearer to me not why same-origin policy or the hosting of several sites goes wood from this feature. Where are really necessary - to make sockets of anything it is impossible. Try to make the torrent-client on JavaScript, working in the browser and connecting on the standard torrent-report to other clients. Incomparably more difficult thing, than the torrent-report - for a long time made. WebRTC for video and audio, p2p. WebRTC implemented on a C ++ and it does not concern business. I will not download the distribution kit  through  using WebRTC or I will not check up mail, using IMAP. You suggest all protocols to do on light by a browser part? The C> Yes, it does not work without the intermediary, but also  to start operation it is required certain exterior . An essence not in . An essence in possibility to implement any protocol. Torrent, SMTP, IMAP, SSH, FTP, NTP and , and all it on normal JavaScript.

22

Re: BSD sockets in API browsers

Hello, fddima, you wrote: F> As a whole for God's sake, but what for it is necessary - not clearly. To write more high-grade web applications. F> the same  the client on  - already demands access to . Access to  at  is many years, File API is called.> JS -  not fast. JS very fast. One of the fastest languages.> and generally the web browser now - a sandbox what any, sockets  without  means. They simply end with one simple cycle on the client. Restrictions on an amount of open connections it not a problem.> moreover for a proxy does not walk. To transfer  about a current proxy too not a problem.> it is easier to fasten AJAX + Long Polling, WebSockets rather than to fence something that is initially doomed to a dip in a web. Here a question not in easier, here a question in the basic possibility. You cannot work with Jabber through WebSockets. You should do implementation on the server, JavaScript th to transfer there the password from my account and during this moment I cease to use such service because it is not necessary to me that my password came into the hands of the third parties.

23

Re: BSD sockets in API browsers

Hello, b0r3d0m, you wrote: B> And in what the problem, actually, consists to have functions for operation with TCP / UDP sockets in API browsers? Any security reasons? A web, it many-sided, unlike a simple socket. We tell, connection of the client through  (or a little). Connection of servers to load-balanseru. Change of transport with HTTP on HTTPS and it is reverse., Etc. All these nuances to drive in the form of meta data through a normal socket - here we and  the HTTP. Here only support at level of other participants of a network infrastructure at it will be zero...

24

Re: BSD sockets in API browsers

Hello, Evgeny. Panasyuk, you wrote: EP> Wake up, you already  - through web pages it is possible to crack local routers, etc. EP> EP> https://en.wikipedia.org/wiki/Cross-sit … st_forgery EP> Customers of a bank in Mexico were attacked in early 2008 with an image tag in email. The link in the image tag changed the DNS entry for the bank in their ADSL router to point to a malicious website impersonating the bank I think they not the browser this email opened, and the mail client

25

Re: BSD sockets in API browsers

Hello, chaotic-kotik, you wrote: EP>> Wake up, you already  - through web pages it is possible to crack local routers, etc. EP>> EP>> https://en.wikipedia.org/wiki/Cross-sit … st_forgery EP>> Customers of a bank in Mexico were attacked in early 2008 with an image tag in email. The link in the image tag changed the DNS entry for the bank in their ADSL router to point to a malicious website impersonating the bank CK> I think they not the browser this email opened, and the mail client Without a difference, it can be and from the browser. Even I can build in this message img url which will to pull your local router from within networks. Restrictions are, unconditionally, nevertheless similar attacks are applied for a long time already, and are not a fantasy.  even do bruteforce passwords to routers.