文章讲述了WebSocket协议中,客户端向服务器发送的所有帧,包括空的ping帧,都必须进行掩码加密。RFC6455规定了这一安全措施,以保护数据和混淆网络中间代理。
掩码用于给客户端到服务端的帧数据加密(异或的方式,非常简单),对此RFC6455中给了一些细节如下:
The masking key is contained completely within the frame, as defined in Section 5.2 as frame-masking-key. It is used to mask the "Payload data" defined in the same section as frame-payload-data, which includes "Extension data" and "Application data".
我们看到,这个写的很清楚,掩码是给 payload 进行加密用的,这个位置会产生一个误解,就是,如果我没有 payload 的时候,是不是可以不需要掩码?比如一个 ping 帧,不带任何数据是否不需要mask?
答案是否定的!
协议中有这么一段话:
In the WebSocket Protocol, data is transmitted using a sequence of frames. To avoid confusing network intermediaries (such as intercepting proxies) and for security reasons that are further discussed in Section 10.3, a client MUST mask all frames that it sends to the server (see Section 5.3 for further details). (Note that masking is done whether
最低0.47元/天 解锁文章
扫一扫
6444
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
