HTTP Potpourri Kevin Hakanson Twin Cities Code Camp 12 14-15 April 2012 

Are You In The Right Place? ●This talk: ○ Embracing HTTP is an important property of well constructed ReSTful and web apis. Every web developer is familiar with GET and POST, 200 and 404, Accept and Content-Type; but what about 207 and 413, OPTIONS and PROPFIND, Transfer-Encoding and X-File-Size? This session will be based on usage of various HTTP methods, headers and status codes drawn from the development of large scale, web applications. Examples will include raw HTTP, mixed in with JavaScript and ASP.NET MVC code. ●This speaker: ○ Kevin Hakanson is an application architect for Thomson Reuters where he is focused on highly scalable web applications. His background includes both .NET and Java, but he is most nostalgic about Lotus Notes. He has been developing professionally since 1994 and holds a Master’s degree in Software Engineering. When not staring at a computer screen, he is probably staring at another screen, either watching TV or playing video games with his family. 

Kevin Hakanson @hakanson #tccc12 [email protected] github.com/hakanson stackoverflow.com/users/22514/kevin-hakanson 

What to Expect ●define:potpourri ○"A collection of various things; an assortment, mixed bag or motley" - Wiktionary ●"Based on a True Story" ○derived from production code from large scale, web app ○combined with stackoverflow questions ○and a mix of web tutorials ●Combination of informational slides with highlights, screenshots, code samples and HTTP snippets ●Attempts at humor ●Questions (OK during presentation) 

Tools and Technologies ●IE 10, Chrome 17, Firefox 11 ●Fiddler, Wireshark ●curl (Git Bash) ●Windows 8 Consumer Preview ●Visual Studio 11 (beta) ●ASP.NET MVC 4 ●Squid ●Alt + PrtScr; Paint.NET ●memegenerator.net ●live co-worker audience 

No content

Methods ●RFC 2616, Section 9 defines these "methods" (the word "verb" does not appear in http://www.ietf.org/rfc/rfc2616.txt) ○OPTIONS, GET, HEAD, PUT, POST, DELETE, TRACE, CONNECT ●Only GET and POST work with ●Everything allowed with AJAX ●Sometimes you need X-HTTP-Method-Override ○ http://stackoverflow.com/questions/467535/is-it-possible-to-implement-x-http- method-override-in-asp-net-mvc ○ <%=Html.HttpMethodOverride(HttpVerbs.Delete) %> ○ 

Headers ●HTTP header fields, which include http://www.w3.org/Protocols/rfc2616/rfc2616.html ○general-header (section 4.5) ○request-header (section 5.3) ○response-header (section 6.2) ○entity-header (section 7.1) ●Permanent Message Header Field Names ○http://www.iana.org/assignments/message-headers/perm- headers.html 

Headers ●"Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field- value for that header field is defined as a comma-separated list [i.e., #(values)]" ●The following are equivalent Field-Name: field-value Field-Name: field-value2 Field-Name: field-value1,field-value2 

Headers - Browser Request Defaults GET http://localhost:4952/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: localhost:4952 GET http://localhost:4952/ HTTP/1.1 Host: localhost:4952 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate, sdch Accept-Language: en-US, en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 GET http://localhost:4952/ HTTP/1.1 Host: localhost:4952 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us, en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive 

Headers - Case Insensitive ●Field names are case-insensitive. ○ http://stackoverflow.com/questions/1130297/in-ie-the-x-requested-with- header-of-jquery-becomes-x-requested-with-lower function doXHR() { var request = new XMLHttpRequest(); request.open('GET', '/header/header.txt'); request.setRequestHeader('x-lowercase', 'X-lowercase'); request.setRequestHeader('x-Propercase', 'X-Propercase'); request.setRequestHeader('x-CamelCase', 'X-CamelCase'); request.setRequestHeader('x-UPPERCASE', 'X-UPPERCASE'); request.onreadystatechange = function() { if (request.readyState == 4) { console.log('Received XMLHttpRequest callback: \n' + request.responseText); } }; request.send(""); } 

Headers - Case Insensitive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618) x-lowercase: X-lowercase x-camelcase: X-CamelCase x-uppercase: X-UPPERCASE x-propercase: X-Propercase User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Safari/528.17 X-Lowercase: X-lowercase X-Uppercase: X-UPPERCASE X-Camelcase: X-CamelCase X-Propercase: X-Propercase User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729) x-lowercase: X-lowercase x-Propercase: X-Propercase x-CamelCase: X-CamelCase x-UPPERCASE: X-UPPERCASE 

What's Special About These Headers? Accept-Charset Accept-Encoding Access-Control-Request-Headers Access-Control-Request-Method Connection Content-Length Cookie Cookie2 Content-Transfer-Encoding Date Expect Host Keep-Alive Origin Proxy-* Referer Sec-* TE Trailer Transfer-Encoding Upgrade User-Agent Via 

Can't Set with XMLHttpRequest ●Read the spec for setRequestHeader() http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method ●Or look at the WebKit source code http://trac.webkit.org/browser/trunk/Source/WebCore/xml/XMLHttpRequest.cpp? rev=105076 bool XMLHttpRequest::isAllowedHTTPHeader(const String& name) { initializeXMLHttpRequestStaticData(); return !staticData->m_forbiddenRequestHeaders.contains(name) && !name.startsWith(staticData->m_proxyHeaderPrefix, false) && !name.startsWith(staticData->m_secHeaderPrefix, false); } 

Encoding and Character Sets ●Accept-Encoding ○gzip, compress, deflate, identity ●Transfer-Encoding ○identity, chunked ●19.4.5 No Content-Transfer-Encoding ○ "HTTP MUST remove any non-identity CTE ("quoted- printable" or "base64") encoding" ●3.4 Character Sets ○Note: This use of the term "character set" is more commonly referred to as a "character encoding." However, since HTTP and MIME share the same registry, it is important that the terminology also be shared. 

Code 

HelloWebAPI ●Let's start with "Your First ASP.NET Web API (C#)" ○http://www.asp.net/web-api/overview/getting-started-with- aspnet-web-api/tutorial-your-first-web-api ● Demo ○http://localhost:4952/ 

Fiddler & Transfer-Encoding: gzip 

No content

"Flush the Buffer Early" ●Best Practices for Speeding Up Your Web Site ○http://developer.yahoo.com/performance/rules.html ●In Views\Shared\_Layout.cshtml, add Response.Flush @{ Response.Buffer = true; Response.Flush(); } @RenderBody() 

IE10 & Transfer-Encoding: chunked Looks good to me... 

Fiddler & Transfer-Encoding: chunked however, 0x781 = 1921 

"Flush the Buffer" and .aspx this.HttpContext.Response.Buffer = true; <% HttpContext.Current.Response.Flush(); %> chunked utf-8 gzip 296 a3 0 

IIS / ASP.NET Custom Headers ●What are these? ○X-AspNetMvc-Version ○X-AspNet-Version ○X-SourceFiles ○X-Powered-By ●How do I remove, since I "trust no one"? 

No content

X- Fields ●Go by various names, referred to ○as x-token in the BNF of RFC 2045 ○as user-defined ("X-") in section 5 of RFC 2047 ○as Experimental headers in section 4.2.2.1 of the News Article Format draft http://stackoverflow.com/questions/1810915/is-safe-to- use-x-header-in-a-http-response ●Deprecating Use of the "X-" Prefix in Application Protocols (draft 03; January 27, 2012) http://tools.ietf.org/html/draft-saintandre-xdash-03 ○"deprecates the "X-" convention for most application protocols by making specific recommendations" 

X-AspNetMvc-Version: 4.0 ●To remove this header, in the Application_Start() of Global.asax.cs add: ○ MvcHandler.DisableMvcResponseHeader = true; ●http://stackoverflow.com/questions/3418557/how-to-remove- asp-net-mvc-default-http-headers/3418574#3418574 

X-AspNet-Version: 4.0.30319 ●To remove this header, in Web.config, add: ●http://stackoverflow.com/questions/3418557/how-to-remove- asp-net-mvc-default-http-headers/3418574#3418574 

X-Powered-By: ASP.NET ●To remove this header, in Web.config add: 

X-SourceFiles ●http://stackoverflow.com/questions/4851684/what-does-the- x-sourcefiles-header-do ●X-SourceFiles: =?UTF-8?B? YzpcdXNlcnNcZGV2ZWxvcGVyXGRvY3VtZW50c1x2aXN1Y Wwgc3R1ZGlvIDExXFByb2plY3RzXEhlbGxvV2ViQVBJXE hlbGxvV2ViQVBJ?= ●Decodes to: ○c:\users\developer\documents\visual studio 11\Projects\HelloWebAPI\HelloWebAPI ● encoded-word (http://tools.ietf.org/html/rfc1342) ○"=" "?" charset "?" encoding "?" encoded-text "?" "=" ○encoding either "B" (Base64) or "Q" (Quoted Printable) 

Header Limits? ●IIS has several limits http://stackoverflow.com/questions/1097651/is-there-a- practical-http-header-length-limit ●Http.sys registry settings for IIS http://support.microsoft.com/kb/820129 ○MaxFieldLength is "upper limit for each header" ○MaxRequestBytes is "upper limit for the total size of the Request line and the headers" ●Header Limits http://www.iis.net/ConfigReference/system. webServer/security/requestFiltering/requestLimits/headerLim its ○ limit the length of a specific header 

This Slide Intentionally Left Blank 

File Upload ●jQuery File Upload Plugin ○"Files can be uploaded as standard "multipart/form-data" or file contents stream (HTTP PUT file upload)." ○https://github.com/blueimp/jQuery-File-Upload $('#fileupload').fileupload({}); 

RFC 2388 multipart message POST http://localhost:4952/Logo/Upload HTTP/1.1 Host: localhost:4952 Connection: keep-alive Content-Length: 17860 Origin: http://localhost:4952 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryV7HK5HxBBDfYoirj Accept: application/json, text/javascript, */*; q=0.01 Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 ------WebKitFormBoundaryV7HK5HxBBDfYoirj Content-Disposition: form-data; name="files[]"; filename="logo.png" Content-Type: image/png �PNG ��� ------WebKitFormBoundaryV7HK5HxBBDfYoirj-- 

$('#id').fileupload({multipart:false}) POST http://localhost:4952/Logo/Upload HTTP/1.1 Host: localhost:4952 Connection: keep-alive Content-Length: 17662 Origin: http://localhost:4952 X-File-Size: 17662 X-Requested-With: XMLHttpRequest X-File-Name: logo.png User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Content-Type: image/png Accept: application/json, text/javascript, */*; q=0.01 X-File-Type: image/png Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 

Page Load GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Content-Encoding: gzip ETag: dada50d251fa1ac5c4b25961f87671dd Vary: Accept-Encoding Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 19:58:03 GMT Content-Length: 25973 

Etag and 304 ●Use MD5 hash of data to generate Etag value ●Compare MD5 hash against If-None-Match to return 304 String hash = logoInfo.Etag; if (hash.Equals(Request.Headers["If-None-Match"])) { Response.StatusCode = 304; } else { Response.ContentType = logoInfo.ContentType; Response.Headers["Etag"] = hash; logoInfo.Stream.Position = 0; logoInfo.Stream.CopyTo(Response.OutputStream); } 

F5 Reload GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 If-None-Match: dada50d251fa1ac5c4b25961f87671dd Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 304 Not Modified Cache-Control: private Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 19:58:39 GMT 

Ctrl + F5 Reload GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Content-Encoding: gzip ETag: dada50d251fa1ac5c4b25961f87671dd Vary: Accept-Encoding Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 20:00:38 GMT Content-Length: 25973 

Cache Headers ●Set Cache-Control: public,max-age=X with http://www.iis.net/ConfigReference/system.webServer/staticContent/clientCache ●Clear Etag needs URL Rewrite Module 2.0 installed http://stackoverflow.com/questions/7947420/iis-7-5-remove-etag-headers-from- response 

Squid Proxy ●Squid 2.7 for Windows (http://squid.acmeconsulting.it/) ●squid.conf ○http_access allow localhost ●Set proxy as localhost:3128 then see additional response headers Proxy-Connection: keep-alive Via: 1.1 U0038137-W8A:3128 (squid/2.7.STABLE8) X-Cache: MISS from U0038137-W8A X-Cache-Lookup: MISS from U0038137-W8A:3128 

PURGE ●Purge and object from Squid cache ○http://wiki.squid-cache.org/SquidFaq/OperatingSquid ●squid.conf ○acl PURGE method PURGE ○http_access allow PURGE localhost ○http_access deny PURGE ●squidclient -m PURGE ●curl --request PURGE --proxy localhost:3128 

WebDAV ●"extension to the HTTP/1.1 protocol that allows clients to perform remote web content authoring operations" ●Leveraged existing HTTP Methods ○GET, HEAD, POST, DELETE, PUT ●Defined new HTTP Methods ○PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK ●New Status Codes ○102 Processing, 207 Multi-Status, 422 Unprocessable Entity, 423 Locked, 424 Failed Dependency, 507 Insufficient Storage 

curl - transfer a url ●Installed on Windows if you have Git Bash ○http://curl.haxx.se/docs/manpage.html ●Some options --compressed --data-binary -F, --form -H, --header --limit-rate -o, --output -T, --upload-file -x, --proxy <[protocol://][user@password]proxyhost[:port]> -X, --request 

WebDAV - PROPFIND Request $ curl --proxy localhost:8888 --request PROPFIND http://localhost:4952/Logo/Download PROPFIND http://localhost:4952/Logo/Download HTTP/1.1 User-Agent: curl/7.21.1 (i686-pc-mingw32) libcurl/7.21.1 OpenSSL/0.9.8r zlib/1.2.3 Host: localhost:4952 Accept: */* Connection: Keep-Alive 

WebDAV - PROPFIND Response HTTP/1.1 207 Multi-Status Cache-Control: private Content-Type: text/xml Server: Microsoft-IIS/7.5 Date: Sat, 07 Apr 2012 20:53:01 GMT Content-Length: 532 http://localhost:4952/Logo/Download HTTP/1.1 200 OK image/png Sat, 07 Apr 2012 20:45:05 GMT dada50d251fa1ac5c4b25961f87671dd Sat, 07 Apr 2012 20:45:05 GMT 

public ActionResult Propfind() [ActionName("Download")] [AcceptVerbs("PROPFIND")] public ActionResult Propfind() { Response.StatusCode = 207; Response.ContentType = "text/xml"; Response.Charset = null; ViewBag.ContentType = logoInfo.ContentType; ViewBag.Date = logoInfo.Date; ViewBag.Etag = logoInfo.Etag; return PartialView("Propfind"); } 

Propfind.cshtml @Request.Url HTTP/1.1 200 OK @ViewBag.ContentType @ViewBag.Date.ToUniversalTime().ToString("r") @ViewBag.Etag @ViewBag.Date.ToUniversalTime().ToString("r") 

Browser Security 

X-Frame-Options ●Combating ClickJacking With X-Frame-Options ○http://blogs.msdn. com/b/ieinternals/archive/2010/03/30/combating- clickjacking-with-x-frame-options.aspx ●Browser Support: ○IE8+, Safari 4+, Chrome 4+, Firefox 3.6.9+ ○Test at http://www.enhanceie.com/test/clickjack/ ●Value may be one of ○DENY - block rendering if within a frame ○SAMEORIGIN - block rendering if top leve browsing context is different ○ALLOW-FROM origin - block rendering origin value if different 

HTTP Strict Transport Security ●Allows a site to request that it always be contacted over HTTPS. ○http://dev.chromium.org/sts ●Supported in Google Chrome, Firefox 4. ●Remembers that for the given number of seconds, that the current domain should only be contacted over HTTPS ●Spec ○ http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-06 ●Example Response Header Strict-Transport-Security: max-age=15768000 ; includeSubDomains 

Cross-Origin Resource Sharing ●a.k.a. CORS http://www.w3.org/TR/cors/ ●Implementing CORS support in ASP.NET Web APIs ○ http://blogs.msdn. com/b/carlosfigueira/archive/2012/02/21/implementing-cors- support-in-asp-net-web-apis-take-2.aspx ●Request Headers ○ Origin ○ Access-Control-Request-Method ○ Access-Control-Request-Headers ●Response Headers ○ Access-Control-Allow-Origin ○ Access-Control-Allow-Credentials ○ Access-Control-Expose-Headers ○ Access-Control-Max-Age ○ Access-Control-Allow-Methods ○ Access-Control-Allow-Headers 

CORS Preflight Request/Response OPTIONS http://localhost:4952/api/Values/ HTTP/1.1 Host: localhost:4952 Connection: keep-alive Access-Control-Request-Method: POST Origin: http://localhost:7147 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Access-Control-Request-Headers: Origin, Content-Type, Accept Accept: */* Referer: http://localhost:7147/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Methods: POST Access-Control-Allow-Headers: Origin, Content-Type, Accept Access-Control-Allow-Origin: http://localhost:7147 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 28 Mar 2012 17:38:00 GMT Content-Length: 0 

Demo http://localhost:7147/ 

No content

Cross-Site Request Forgery (CSRF) ●How to use ASP.NET MVC anti-forgery helpers with web apis? ●Started with "Preventing CSRF with Ajax" http://haacked.com/archive/2011/10/10/preventing-csrf-with- ajax.aspx ●Used the "ASP.NET MVC 3 RTM Source Code" to peek into the inner workings of AntiForgery https://aspnet.codeplex.com/releases/view/58781 

Modifications ●Controller code var inputTag = AntiForgery.GetHtml(this.HttpContext, null, null, null).ToString(); var tokenValue = Regex.Match(inputTag, "value=\"(.*)\"").Groups[1].Value; ViewBag.RequestVerificationToken = tokenValue; ●View code $.ajaxPrefilter(function (options, originalOptions, jqXHR) { if (!options.headers) options.headers = {}; options.headers["__RequestVerificationToken"] = "@ViewBag.RequestVerificationToken"; }); ●validation not working yet, because: ○System.Web.Http.Filters.FilterAttribute != System.Web. Mvc.FilterAttribute 

CSRF GET http://localhost:4952/api/products/ HTTP/1.1 __RequestVerificationToken: q592rxZ1san7NwORzH0SkHp8rpIYB9IDgosSIt+/hB4hVsKUB/xsfCfsiqdStnHZ459xX+mM8VKL+IUP1CDM8jcoKv5L a1l4XszC5tz6FiIY2lVXZ+CaYytbjV2o+I0wJHyLvrpgjyzGwHHErwVv4jgDG3khJr1ibRGGJicFlWw= Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Referer: http://localhost:4952/ Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; Media Center PC 6.0; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) Host: localhost:4952 Connection: Keep-Alive Cookie: __RequestVerificationToken_Lw__ =WVJj4wvLfroG56QsHbZHNxhSZBxbsf3nN1FPsBp8AWgyyuKSr19voC8zxwl1 wu1GfI9/uqKcdf03dtVN8Izm+JkDG6/j/zhnKFyYWw8Tiqr88URDO/mOhE8edSY93ZSuALnPYeD/VS1VftEqvKbtSA7B gWxKhRddOrm5Sc9VMjk= 

(Near?) Future 

WebSockets ●Couldn't get SignalR working with IIS 8 and WebSockets ●Getting started with WebSockets in Windows 8 ○http://www.paulbatum.com/2011/09/getting-started-with- websockets-in.html ○https://github.com/paulbatum/PushFrenzy ●Hard to peek under the covers - RFC 6455: ○1.7. Relationship to TCP and HTTP The WebSocket Protocol is an independent TCP-based protocol. Its only relationship to HTTP is that its handshake is interpreted by HTTP servers as an Upgrade request. http://tools.ietf.org/html/rfc6455 

WebSockets - PushFrenzy GET http://localhost/PushFrenzy.Web/connect?nickname=IE&gamesize=2 HTTP/1.1 Origin: localhost Sec-WebSocket-Key: 9l4ov6WTcktNZhDxzofNsA== Connection: Upgrade Upgrade: Websocket Sec-WebSocket-Version: 13 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) Host: localhost Cache-Control: no-cache HTTP/1.1 101 Switching Protocols Cache-Control: private Upgrade: Websocket Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 Sec-WebSocket-Accept: 2npInS6ZLafsQdJ4EPNxraKGlpY= Connection: Upgrade X-Powered-By: ASP.NET Date: Tue, 03 Apr 2012 20:40:47 GMT 

No content

http://websocketstest.com/ 

WebSockets - Fiddler ●Glimpse of the future: Fiddler and HTML5 WebSockets ○http://blogs.msdn.com/b/fiddler/archive/2011/11/22/fiddler- and-websockets.aspx ●Single Request/Response entry ●Most data appears in Log tab ●Look for these bytes in upcoming slides ○81 0A 63 6F 6E 6E 65 63 74 65 64 2C 

WebSockets - Fiddler GET http://ws.websocketstest.com/service HTTP/1.1 Upgrade: websocket Connection: Upgrade Host: ws.websocketstest.com Origin: http://websocketstest.com Sec-WebSocket-Key: a05pbM96VhcorGnOP29sOw== Sec-WebSocket-Version: 13 Cookie: __utma=245398530. 78459945.1333486200.1333486200.1333486200.1; __utmb=245398530. 7.10.1333486200; __utmc=245398530; __utmz=245398530.1333486200.1.1. utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) HTTP/1.1 101 Switching Protocols Upgrade: WebSocket Connection: Upgrade Sec-WebSocket-Accept: dHDHGWWR3k2+1linxGu02hAH/00= EndTime: 16:24:34.380 

WebSockets - Fiddler Log Start 16:22:18:9186 Upgrading Session #29 to websocket 16:22:18:9886 [WebSocket #29] Received from server 12 bytes Flags: 10000001 Message Masking: False. Data length: 10 bytes. 81 0A 63 6F 6E 6E 65 63 74 65 64 2C �.connected, 16:22:18:9886 [WebSocket #29] Received from browser 14 bytes Flags: 10000001 Message Masking: True. Data length: 8 bytes. Masking key is: 8C 07 80 8F version, 81 88 8C 07 80 8F FA 62 F2 FC E5 68 EE A3 �ˆŒ.€�úbòüåhî£ 16:22:19:0586 [WebSocket #29] Received from server 23 bytes Flags: 10000001 Message Masking: False. Data length: 21 bytes. 81 15 76 65 72 73 69 6F 6E 2C 68 79 62 69 2D 64 72 61 66 74 2D 31 33 version,hybi-draft-13 

WebSockets - Fiddler Log End 16:24:33:5642 [WebSocket #29] Received from server 24 bytes Flags: 10000001 Message Masking: False. Data length: 22 bytes. 81 16 74 69 6D 65 2C 32 30 31 32 2F 34 2F 33 20 32 31 3A 32 32 3A 31 39 �. time,2012/4/3 21:22:19 16:24:34:3802 [WebSocket #29] OnClientReceive from browser failed; ret=0 

WebSockets - Wireshark Capture ●Wireshark notes that this HTTP does not seem right ○"Continuation or non-HTTP traffic" 

WebSockets - Wireshark Capture 16:22:18:9186 Upgrading Session #29 to websocket 16:22:18:9886 [WebSocket #29] Received from server 12 bytes Flags: 10000001 Message Masking: False. Data length: 10 bytes. 81 0A 63 6F 6E 6E 65 63 74 65 64 2C connected, 

WebSockets - Wireshark Capture 

SPDY ●An experimental protocol for a faster web ○http://dev.chromium.org/spdy/spdy-whitepaper ○"application-layer protocol for transporting content over the web, designed specifically for minimal latency" ○"TCP is the generic, reliable transport protocol, providing guaranteed delivery, duplicate suppression, in-order delivery, flow control, congestion avoidance and other transport features." ○"HTTP is the application level protocol providing basic request/response semantics." ○"adds a session layer atop of SSL that allows for multiple concurrent, interleaved streams over a single TCP connection" 

SPDY - Request Changes ●First line of the request is unfolded into name/value pairs like other HTTP headers ●Duplicate header names are not allowed ●Header names are all lowercase ●The Connection and Keep-Alive headers are no longer valid and are ignored if present ●Clients assumed to support Accept-Encoding: gzip ●HTTP request headers are compressed with gzip encoding ●The "host" header is ignored as the host:port portion of the HTTP URL is the definitive host ●Content-length is only advisory for length (so that progress meters can work) ●Chunked encoding is no longer valid. 

SPDY - Response Changes ●The response status line is unfolded into name/value pairs like other HTTP headers ●All header names must be lowercase ●The Connection and Keep-alive response headers are no longer valid ●Content-length is only advisory for length ●Chunked encoding is no longer valid ●Duplicate header names are not allowed 

SPDY - Tools and Debugging ●New protocol = new debugging tools ○Chrome about:net-internals 

Questions? (and, please evaluate http://tccc.agilevent.com/)