Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HTTP Potpourri

Kevin Hakanson
Twin Cities Code Camp 12
14-15 April 2012
Are You In The Right Place?
● This talk:
○ Embracing HTTP is an important property of well constructed ReSTful and web
api...
Kevin Hakanson
@hakanson
#tccc12

kevin.hakanson@gmail.com

github.com/hakanson

stackoverflow.com/users/22514/kevin-hakan...
What to Expect
● define:potpourri
○ "A collection of various things; an assortment, mixed bag
or motley" - Wiktionary
● "B...
Tools and Technologies
● IE 10, Chrome 17, Firefox 11
● Fiddler, Wireshark
● curl (Git Bash)
● Windows 8 Consumer Preview
...
Methods
● RFC 2616, Section 9 defines these "methods" (the word
"verb" does not appear in http://www.ietf.org/rfc/rfc2616....
Headers
● HTTP header fields, which include
http://www.w3.org/Protocols/rfc2616/rfc2616.html
○ general-header (section 4.5...
Headers
● "Multiple message-header fields with the same field-name
MAY be present in a message if and only if the entire f...
Headers - Browser Request Defaults
GET http://localhost:4952/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accep...
Headers - Case Insensitive
● Field names are case-insensitive.
○ http://stackoverflow.com/questions/1130297/in-ie-the-x-re...
Headers - Case Insensitive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR
2.0...
What's Special About These Headers?
Accept-Charset
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-M...
Can't Set with XMLHttpRequest
● Read the spec for setRequestHeader()
http://www.w3.org/TR/XMLHttpRequest/#the-setrequesthe...
Encoding and Character Sets
● Accept-Encoding
○ gzip, compress, deflate, identity
● Transfer-Encoding
○ identity, chunked
...
Code
HelloWebAPI
● Let's start with "Your First ASP.NET Web API (C#)"
○ http://www.asp.net/web-api/overview/getting-started-wit...
Fiddler & Transfer-Encoding: gzip
"Flush the Buffer Early"
● Best Practices for Speeding Up Your Web Site
○ http://developer.yahoo.com/performance/rules.htm...
IE10 & Transfer-Encoding: chunked
Looks good to me...
Fiddler & Transfer-Encoding: chunked

however,
0x781 = 1921
"Flush the Buffer" and .aspx
this.HttpContext.Response.Buffer = true;
</head>
<% HttpContext.Current.Response.Flush(); %>
...
IIS / ASP.NET Custom Headers
● What are these?
○ X-AspNetMvc-Version
○ X-AspNet-Version
○ X-SourceFiles
○ X-Powered-By
● H...
X- Fields
● Go by various names, referred to
○ as x-token in the BNF of RFC 2045
○ as user-defined ("X-") in section 5 of ...
X-AspNetMvc-Version: 4.0
● To remove this header, in the Application_Start()
of Global.asax.cs add:
○ MvcHandler.DisableMv...
X-AspNet-Version: 4.0.30319
● To remove this header, in Web.config, add:
<system.web>
<httpRuntime enableVersionHeader="fa...
X-Powered-By: ASP.NET
● To remove this header, in Web.config add:
<system.webServer>
<httpProtocol>
<customHeaders>
<remov...
X-SourceFiles
● http://stackoverflow.com/questions/4851684/what-does-thex-sourcefiles-header-do
● X-SourceFiles: =?UTF-8?B...
Header Limits?
● IIS has several limits
http://stackoverflow.com/questions/1097651/is-there-apractical-http-header-length-...
This Slide Intentionally
Left Blank
File Upload
● jQuery File Upload Plugin
○ "Files can be uploaded as standard "multipart/form-data"
or file contents stream...
RFC 2388 multipart message
POST http://localhost:4952/Logo/Upload HTTP/1.1
Host: localhost:4952
Connection: keep-alive
Con...
$('#id').fileupload({multipart:false})
POST http://localhost:4952/Logo/Upload HTTP/1.1
Host: localhost:4952
Connection: ke...
Page Load
GET http://localhost:4952/Logo/Download HTTP/1.1
Host: localhost:4952
Connection: keep-alive
User-Agent: Mozilla...
Etag and 304
● Use MD5 hash of data to generate Etag value
● Compare MD5 hash against If-None-Match to return 304
String h...
F5 Reload
GET http://localhost:4952/Logo/Download HTTP/1.1
Host: localhost:4952
Connection: keep-alive
Cache-Control: max-...
Ctrl + F5 Reload
GET http://localhost:4952/Logo/Download HTTP/1.1
Host: localhost:4952
Connection: keep-alive
Cache-Contro...
Cache Headers
● Set Cache-Control:

public,max-age=X

with <clientCache>

http://www.iis.net/ConfigReference/system.webSer...
Squid Proxy
● Squid 2.7 for Windows (http://squid.acmeconsulting.it/)
● squid.conf
○ http_access allow localhost
● Set pro...
PURGE
● Purge and object from Squid cache
○ http://wiki.squid-cache.org/SquidFaq/OperatingSquid
● squid.conf
○ acl PURGE m...
WebDAV
● "extension to the HTTP/1.1 protocol that allows clients to
perform remote web content authoring operations"
● Lev...
curl - transfer a url
● Installed on Windows if you have Git Bash
○ http://curl.haxx.se/docs/manpage.html
● Some options
-...
WebDAV - PROPFIND Request
$ curl --proxy localhost:8888 --request
PROPFIND http://localhost:4952/Logo/Download
PROPFIND ht...
WebDAV - PROPFIND Response
HTTP/1.1 207 Multi-Status
Cache-Control: private
Content-Type: text/xml
Server: Microsoft-IIS/7...
public ActionResult Propfind()
[ActionName("Download")]
[AcceptVerbs("PROPFIND")]
public ActionResult Propfind()
{
Respons...
Propfind.cshtml
<?xml version="1.0" encoding="utf-8" ?>
<D:multistatus xmlns:D="DAV:">
<D:response>
<D:href>@Request.Url</...
Browser Security
X-Frame-Options
● Combating ClickJacking With X-Frame-Options
○ http://blogs.msdn.
com/b/ieinternals/archive/2010/03/30/co...
HTTP Strict Transport Security
● Allows a site to request that it always be contacted over
HTTPS.
○ http://dev.chromium.or...
Cross-Origin Resource Sharing
● a.k.a. CORS http://www.w3.org/TR/cors/
● Implementing CORS support in ASP.NET Web APIs
○ h...
CORS Preflight Request/Response
OPTIONS http://localhost:4952/api/Values/ HTTP/1.1
Host: localhost:4952
Connection: keep-a...
Demo
http://localhost:7147/
Cross-Site Request Forgery (CSRF)
● How to use ASP.NET MVC anti-forgery helpers with web
apis?
● Started with "Preventing ...
Modifications
● Controller code
var inputTag = AntiForgery.GetHtml(this.HttpContext, null, null, null).ToString();
var tok...
CSRF
GET http://localhost:4952/api/products/ HTTP/1.1
__RequestVerificationToken:
q592rxZ1san7NwORzH0SkHp8rpIYB9IDgosSIt+/...
(Near?) Future
WebSockets
● Couldn't get SignalR working with IIS 8 and WebSockets
● Getting started with WebSockets in Windows 8
○ http:...
WebSockets - PushFrenzy
GET http://localhost/PushFrenzy.Web/connect?nickname=IE&gamesize=2 HTTP/1.1
Origin: localhost
Sec-...
http://websocketstest.com/
WebSockets - Fiddler
● Glimpse of the future: Fiddler and HTML5 WebSockets
○ http://blogs.msdn.com/b/fiddler/archive/2011/...
WebSockets - Fiddler
GET http://ws.websocketstest.com/service HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Host: ws.web...
WebSockets - Fiddler Log Start
16:22:18:9186 Upgrading Session #29 to websocket
16:22:18:9886 [WebSocket #29] Received fro...
WebSockets - Fiddler Log End
16:24:33:5642 [WebSocket #29] Received from server
24 bytes
Flags: 10000001 Message Masking: ...
WebSockets - Wireshark Capture
● Wireshark notes that this HTTP does not seem right
○ "Continuation or non-HTTP traffic"
WebSockets - Wireshark Capture
16:22:18:9186 Upgrading Session #29 to websocket
16:22:18:9886 [WebSocket #29] Received fro...
WebSockets - Wireshark Capture
SPDY

● An experimental protocol for a faster web
○ http://dev.chromium.org/spdy/spdy-whitepaper
○ "application-layer prot...
SPDY - Request Changes
● First line of the request is unfolded into name/value pairs like
other HTTP headers
● Duplicate h...
SPDY - Response Changes
● The response status line is unfolded into name/value pairs
like other HTTP headers
● All header ...
SPDY - Tools and Debugging
● New protocol = new debugging tools
○ Chrome about:net-internals
Questions?
(and, please evaluate
http://tccc.agilevent.com/)
HTTP Potpourri
HTTP Potpourri
HTTP Potpourri
HTTP Potpourri
HTTP Potpourri
Upcoming SlideShare
Loading in …5
×

HTTP Potpourri

4,296 views

Published on

Embracing HTTP is an important property of well constructed ReSTful and web apis. Every web developer is familiar with GET and POST, 200 and 404, Accept and Content-Type; but what about 207 and 413, OPTIONS and PROPFIND, Transfer-Encoding and X-File-Size? This session will be based on usage of various HTTP methods, headers and status codes drawn from the development of large scale, web applications. Examples will include raw HTTP, mixed in with JavaScript and ASP.NET MVC code.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

HTTP Potpourri

  1. 1. HTTP Potpourri Kevin Hakanson Twin Cities Code Camp 12 14-15 April 2012
  2. 2. Are You In The Right Place? ● This talk: ○ Embracing HTTP is an important property of well constructed ReSTful and web apis. Every web developer is familiar with GET and POST, 200 and 404, Accept and Content-Type; but what about 207 and 413, OPTIONS and PROPFIND, Transfer-Encoding and X-File-Size? This session will be based on usage of various HTTP methods, headers and status codes drawn from the development of large scale, web applications. Examples will include raw HTTP, mixed in with JavaScript and ASP.NET MVC code. ● This speaker: ○ Kevin Hakanson is an application architect for Thomson Reuters where he is focused on highly scalable web applications. His background includes both .NET and Java, but he is most nostalgic about Lotus Notes. He has been developing professionally since 1994 and holds a Master’s degree in Software Engineering. When not staring at a computer screen, he is probably staring at another screen, either watching TV or playing video games with his family.
  3. 3. Kevin Hakanson @hakanson #tccc12 kevin.hakanson@gmail.com github.com/hakanson stackoverflow.com/users/22514/kevin-hakanson
  4. 4. What to Expect ● define:potpourri ○ "A collection of various things; an assortment, mixed bag or motley" - Wiktionary ● "Based on a True Story" ○ derived from production code from large scale, web app ○ combined with stackoverflow questions ○ and a mix of web tutorials ● Combination of informational slides with highlights, screenshots, code samples and HTTP snippets ● Attempts at humor ● Questions (OK during presentation)
  5. 5. Tools and Technologies ● IE 10, Chrome 17, Firefox 11 ● Fiddler, Wireshark ● curl (Git Bash) ● Windows 8 Consumer Preview ● Visual Studio 11 (beta) ● ASP.NET MVC 4 ● Squid ● Alt + PrtScr; Paint.NET ● memegenerator.net ● live co-worker audience
  6. 6. Methods ● RFC 2616, Section 9 defines these "methods" (the word "verb" does not appear in http://www.ietf.org/rfc/rfc2616.txt) ○ OPTIONS, GET, HEAD, PUT, POST, DELETE, TRACE, CONNECT ● Only GET and POST work with <form method=""> ● Everything allowed with AJAX ● Sometimes you need X-HTTP-Method-Override ○ http://stackoverflow.com/questions/467535/is-it-possible-to-implement-x-httpmethod-override-in-asp-net-mvc ○ <%=Html.HttpMethodOverride(HttpVerbs.Delete) %> ○ <input name="X-HTTP-Method-Override" type="hidden" value="DELETE" />
  7. 7. Headers ● HTTP header fields, which include http://www.w3.org/Protocols/rfc2616/rfc2616.html ○ general-header (section 4.5) ○ request-header (section 5.3) ○ response-header (section 6.2) ○ entity-header (section 7.1) ● Permanent Message Header Field Names ○ http://www.iana.org/assignments/message-headers/permheaders.html
  8. 8. Headers ● "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire fieldvalue for that header field is defined as a comma-separated list [i.e., #(values)]" ● The following are equivalent Field-Name: field-value Field-Name: field-value2 Field-Name: field-value1,field-value2
  9. 9. Headers - Browser Request Defaults GET http://localhost:4952/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: localhost:4952 GET http://localhost:4952/ HTTP/1.1 Host: localhost:4952 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate, sdch Accept-Language: en-US, en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 GET http://localhost:4952/ HTTP/1.1 Host: localhost:4952 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:11.0) Gecko/20100101 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us, en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Firefox/11.0
  10. 10. Headers - Case Insensitive ● Field names are case-insensitive. ○ http://stackoverflow.com/questions/1130297/in-ie-the-x-requested-withheader-of-jquery-becomes-x-requested-with-lower function doXHR() { var request = new XMLHttpRequest(); request.open('GET', '/header/header.txt'); request.setRequestHeader('x-lowercase', 'X-lowercase'); request.setRequestHeader('x-Propercase', 'X-Propercase'); request.setRequestHeader('x-CamelCase', 'X-CamelCase'); request.setRequestHeader('x-UPPERCASE', 'X-UPPERCASE'); request.onreadystatechange = function() { if (request.readyState == 4) { console.log('Received XMLHttpRequest callback: n' + request.responseText); } }; request.send(""); }
  11. 11. Headers - Case Insensitive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618) x-lowercase: X-lowercase x-camelcase: X-CamelCase x-uppercase: X-UPPERCASE x-propercase: X-Propercase User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Safari/528.17 X-Lowercase: X-lowercase X-Uppercase: X-UPPERCASE X-Camelcase: X-CamelCase X-Propercase: X-Propercase User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729) x-lowercase: X-lowercase x-Propercase: X-Propercase x-CamelCase: X-CamelCase x-UPPERCASE: X-UPPERCASE
  12. 12. What's Special About These Headers? Accept-Charset Accept-Encoding Access-Control-Request-Headers Access-Control-Request-Method Connection Content-Length Cookie Cookie2 Content-Transfer-Encoding Date Expect Host Keep-Alive Origin Proxy-* Referer Sec-* TE Trailer Transfer-Encoding Upgrade User-Agent Via
  13. 13. Can't Set with XMLHttpRequest ● Read the spec for setRequestHeader() http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method ● Or look at the WebKit source code http://trac.webkit.org/browser/trunk/Source/WebCore/xml/XMLHttpRequest.cpp? rev=105076 bool XMLHttpRequest::isAllowedHTTPHeader(const String& name) { initializeXMLHttpRequestStaticData(); return !staticData->m_forbiddenRequestHeaders.contains(name) && !name.startsWith(staticData->m_proxyHeaderPrefix, false) && !name.startsWith(staticData->m_secHeaderPrefix, false); }
  14. 14. Encoding and Character Sets ● Accept-Encoding ○ gzip, compress, deflate, identity ● Transfer-Encoding ○ identity, chunked ● 19.4.5 No Content-Transfer-Encoding ○ "HTTP MUST remove any non-identity CTE ("quotedprintable" or "base64") encoding" ● 3.4 Character Sets ○ Note: This use of the term "character set" is more commonly referred to as a "character encoding." However, since HTTP and MIME share the same registry, it is important that the terminology also be shared.
  15. 15. Code
  16. 16. HelloWebAPI ● Let's start with "Your First ASP.NET Web API (C#)" ○ http://www.asp.net/web-api/overview/getting-started-withaspnet-web-api/tutorial-your-first-web-api ● Demo ○ http://localhost:4952/
  17. 17. Fiddler & Transfer-Encoding: gzip
  18. 18. "Flush the Buffer Early" ● Best Practices for Speeding Up Your Web Site ○ http://developer.yahoo.com/performance/rules.html ● In ViewsShared_Layout.cshtml, add Response.Flush </head> @{ Response.Buffer = true; Response.Flush(); } <body> @RenderBody() </body> </html>
  19. 19. IE10 & Transfer-Encoding: chunked Looks good to me...
  20. 20. Fiddler & Transfer-Encoding: chunked however, 0x781 = 1921
  21. 21. "Flush the Buffer" and .aspx this.HttpContext.Response.Buffer = true; </head> <% HttpContext.Current.Response.Flush(); %> <body> chunked utf-8 gzip 296 a3 0
  22. 22. IIS / ASP.NET Custom Headers ● What are these? ○ X-AspNetMvc-Version ○ X-AspNet-Version ○ X-SourceFiles ○ X-Powered-By ● How do I remove, since I "trust no one"?
  23. 23. X- Fields ● Go by various names, referred to ○ as x-token in the BNF of RFC 2045 ○ as user-defined ("X-") in section 5 of RFC 2047 ○ as Experimental headers in section 4.2.2.1 of the News Article Format draft http://stackoverflow.com/questions/1810915/is-safe-touse-x-header-in-a-http-response ● Deprecating Use of the "X-" Prefix in Application Protocols (draft 03; January 27, 2012) http://tools.ietf.org/html/draft-saintandre-xdash-03 ○ "deprecates the "X-" convention for most application protocols by making specific recommendations"
  24. 24. X-AspNetMvc-Version: 4.0 ● To remove this header, in the Application_Start() of Global.asax.cs add: ○ MvcHandler.DisableMvcResponseHeader = true; ● http://stackoverflow.com/questions/3418557/how-to-removeasp-net-mvc-default-http-headers/3418574#3418574
  25. 25. X-AspNet-Version: 4.0.30319 ● To remove this header, in Web.config, add: <system.web> <httpRuntime enableVersionHeader="false" /> </system.web> ● http://stackoverflow.com/questions/3418557/how-to-removeasp-net-mvc-default-http-headers/3418574#3418574
  26. 26. X-Powered-By: ASP.NET ● To remove this header, in Web.config add: <system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> </system.webServer>
  27. 27. X-SourceFiles ● http://stackoverflow.com/questions/4851684/what-does-thex-sourcefiles-header-do ● X-SourceFiles: =?UTF-8?B? YzpcdXNlcnNcZGV2ZWxvcGVyXGRvY3VtZW50c1x2aXN1Y Wwgc3R1ZGlvIDExXFByb2plY3RzXEhlbGxvV2ViQVBJXE hlbGxvV2ViQVBJ?= ● Decodes to: ○ c:usersdeveloperdocumentsvisual studio 11ProjectsHelloWebAPIHelloWebAPI ● encoded-word (http://tools.ietf.org/html/rfc1342) ○ "=" "?" charset "?" encoding "?" encoded-text "?" "=" ○ encoding either "B" (Base64) or "Q" (Quoted Printable)
  28. 28. Header Limits? ● IIS has several limits http://stackoverflow.com/questions/1097651/is-there-apractical-http-header-length-limit ● Http.sys registry settings for IIS http://support.microsoft.com/kb/820129 ○ MaxFieldLength is "upper limit for each header" ○ MaxRequestBytes is "upper limit for the total size of the Request line and the headers" ● Header Limits <headerLimits> http://www.iis.net/ConfigReference/system. webServer/security/requestFiltering/requestLimits/headerLim its ○ limit the length of a specific header <add header="Content-type" sizeLimit="100" />
  29. 29. This Slide Intentionally Left Blank
  30. 30. File Upload ● jQuery File Upload Plugin ○ "Files can be uploaded as standard "multipart/form-data" or file contents stream (HTTP PUT file upload)." ○ https://github.com/blueimp/jQuery-File-Upload <input id="fileupload" type="file" name="files[]" dataurl="/Logo/Upload" multiple> $('#fileupload').fileupload({});
  31. 31. RFC 2388 multipart message POST http://localhost:4952/Logo/Upload HTTP/1.1 Host: localhost:4952 Connection: keep-alive Content-Length: 17860 Origin: http://localhost:4952 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryV7HK5HxBBDfYoirj Accept: application/json, text/javascript, */*; q=0.01 Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 ------WebKitFormBoundaryV7HK5HxBBDfYoirj Content-Disposition: form-data; name="files[]"; filename="logo.png" Content-Type: image/png �PNG ��� ------WebKitFormBoundaryV7HK5HxBBDfYoirj--
  32. 32. $('#id').fileupload({multipart:false}) POST http://localhost:4952/Logo/Upload HTTP/1.1 Host: localhost:4952 Connection: keep-alive Content-Length: 17662 Origin: http://localhost:4952 X-File-Size: 17662 X-Requested-With: XMLHttpRequest X-File-Name: logo.png User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Content-Type: image/png Accept: application/json, text/javascript, */*; q=0.01 X-File-Type: image/png Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
  33. 33. Page Load GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Content-Encoding: gzip ETag: dada50d251fa1ac5c4b25961f87671dd Vary: Accept-Encoding Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 19:58:03 GMT Content-Length: 25973
  34. 34. Etag and 304 ● Use MD5 hash of data to generate Etag value ● Compare MD5 hash against If-None-Match to return 304 String hash = logoInfo.Etag; if (hash.Equals(Request.Headers["If-None-Match"])) { Response.StatusCode = 304; } else { Response.ContentType = logoInfo.ContentType; Response.Headers["Etag"] = hash; logoInfo.Stream.Position = 0; logoInfo.Stream.CopyTo(Response.OutputStream); }
  35. 35. F5 Reload GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 If-None-Match: dada50d251fa1ac5c4b25961f87671dd Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 304 Not Modified Cache-Control: private Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 19:58:39 GMT
  36. 36. Ctrl + F5 Reload GET http://localhost:4952/Logo/Download HTTP/1.1 Host: localhost:4952 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Accept: */* Referer: http://localhost:4952/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Content-Encoding: gzip ETag: dada50d251fa1ac5c4b25961f87671dd Vary: Accept-Encoding Server: Microsoft-IIS/7.5 Date: Fri, 06 Apr 2012 20:00:38 GMT Content-Length: 25973
  37. 37. Cache Headers ● Set Cache-Control: public,max-age=X with <clientCache> http://www.iis.net/ConfigReference/system.webServer/staticContent/clientCache ● Clear Etag needs URL Rewrite Module 2.0 installed http://stackoverflow.com/questions/7947420/iis-7-5-remove-etag-headers-fromresponse <system.webServer> <staticContent> <clientCache cacheControlCustom="public" cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" /> </staticContent> <rewrite> <outboundRules> <rule name="Remove ETag"> <match serverVariable="RESPONSE_ETag" pattern=".+" /> <action type="Rewrite" value="" /> </rule> </outboundRules> </rewrite> </system.webServer>
  38. 38. Squid Proxy ● Squid 2.7 for Windows (http://squid.acmeconsulting.it/) ● squid.conf ○ http_access allow localhost ● Set proxy as localhost:3128 then see additional response headers Proxy-Connection: keep-alive Via: 1.1 U0038137-W8A:3128 (squid/2.7.STABLE8) X-Cache: MISS from U0038137-W8A X-Cache-Lookup: MISS from U0038137-W8A:3128
  39. 39. PURGE ● Purge and object from Squid cache ○ http://wiki.squid-cache.org/SquidFaq/OperatingSquid ● squid.conf ○ acl PURGE method PURGE ○ http_access allow PURGE localhost ○ http_access deny PURGE ● squidclient -m PURGE <url> ● curl --request PURGE --proxy localhost:3128 <url>
  40. 40. WebDAV ● "extension to the HTTP/1.1 protocol that allows clients to perform remote web content authoring operations" ● Leveraged existing HTTP Methods ○ GET, HEAD, POST, DELETE, PUT ● Defined new HTTP Methods ○ PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK ● New Status Codes ○ 102 Processing, 207 Multi-Status, 422 Unprocessable Entity, 423 Locked, 424 Failed Dependency, 507 Insufficient Storage
  41. 41. curl - transfer a url ● Installed on Windows if you have Git Bash ○ http://curl.haxx.se/docs/manpage.html ● Some options --compressed --data-binary <data> -F, --form <name=content> -H, --header <header> --limit-rate <speed> -o, --output <file> -T, --upload-file <file> -x, --proxy <[protocol://][user@password]proxyhost[:port]> -X, --request <command>
  42. 42. WebDAV - PROPFIND Request $ curl --proxy localhost:8888 --request PROPFIND http://localhost:4952/Logo/Download PROPFIND http://localhost:4952/Logo/Download HTTP/1.1 User-Agent: curl/7.21.1 (i686-pc-mingw32) libcurl/7.21.1 OpenSSL/0.9.8r zlib/1.2.3 Host: localhost:4952 Accept: */* Connection: Keep-Alive
  43. 43. WebDAV - PROPFIND Response HTTP/1.1 207 Multi-Status Cache-Control: private Content-Type: text/xml Server: Microsoft-IIS/7.5 Date: Sat, 07 Apr 2012 20:53:01 GMT Content-Length: 532 <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://localhost:4952/Logo/Download</D:href> <D:propstat> <D:prop> <D:status>HTTP/1.1 200 OK</D:status> <D:getcontenttype>image/png</D:getcontenttype> <D:getlastmodfiied>Sat, 07 Apr 2012 20:45:05 GMT</D:getlastmodfiied> <D:getetag>dada50d251fa1ac5c4b25961f87671dd</D:getetag> <D:creationdate>Sat, 07 Apr 2012 20:45:05 GMT</D:creationdate> </D:prop> </D:propstat> </D:response> </D:multistatus>
  44. 44. public ActionResult Propfind() [ActionName("Download")] [AcceptVerbs("PROPFIND")] public ActionResult Propfind() { Response.StatusCode = 207; Response.ContentType = "text/xml"; Response.Charset = null; ViewBag.ContentType = logoInfo.ContentType; ViewBag.Date = logoInfo.Date; ViewBag.Etag = logoInfo.Etag; return PartialView("Propfind"); }
  45. 45. Propfind.cshtml <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>@Request.Url</D:href> <D:propstat> <D:prop> <D:status>HTTP/1.1 200 OK</D:status> <D:getcontenttype>@ViewBag.ContentType</D:getcontenttype> <D:getlastmodfiied> @ViewBag.Date.ToUniversalTime().ToString("r") </D:getlastmodfiied> <D:getetag>@ViewBag.Etag</D:getetag> <D:creationdate> @ViewBag.Date.ToUniversalTime().ToString("r") </D:creationdate> </D:prop> </D:propstat> </D:response> </D:multistatus>
  46. 46. Browser Security
  47. 47. X-Frame-Options ● Combating ClickJacking With X-Frame-Options ○ http://blogs.msdn. com/b/ieinternals/archive/2010/03/30/combatingclickjacking-with-x-frame-options.aspx ● Browser Support: ○ IE8+, Safari 4+, Chrome 4+, Firefox 3.6.9+ ○ Test at http://www.enhanceie.com/test/clickjack/ ● Value may be one of ○ DENY - block rendering if within a frame ○ SAMEORIGIN - block rendering if top leve browsing context is different ○ ALLOW-FROM origin - block rendering origin value if different
  48. 48. HTTP Strict Transport Security ● Allows a site to request that it always be contacted over HTTPS. ○ http://dev.chromium.org/sts ● Supported in Google Chrome, Firefox 4. ● Remembers that for the given number of seconds, that the current domain should only be contacted over HTTPS ● Spec ○ http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-06 ● Example Response Header Strict-Transport-Security: max-age=15768000 ; includeSubDomains
  49. 49. Cross-Origin Resource Sharing ● a.k.a. CORS http://www.w3.org/TR/cors/ ● Implementing CORS support in ASP.NET Web APIs ○ http://blogs.msdn. com/b/carlosfigueira/archive/2012/02/21/implementing-corssupport-in-asp-net-web-apis-take-2.aspx ● Request Headers ○ Origin ○ Access-Control-Request-Method ○ Access-Control-Request-Headers ● Response Headers ○ Access-Control-Allow-Origin ○ Access-Control-Allow-Credentials ○ Access-Control-Expose-Headers ○ Access-Control-Max-Age ○ Access-Control-Allow-Methods ○ Access-Control-Allow-Headers
  50. 50. CORS Preflight Request/Response OPTIONS http://localhost:4952/api/Values/ HTTP/1.1 Host: localhost:4952 Connection: keep-alive Access-Control-Request-Method: POST Origin: http://localhost:7147 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Access-Control-Request-Headers: Origin, Content-Type, Accept Accept: */* Referer: http://localhost:7147/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Methods: POST Access-Control-Allow-Headers: Origin, Content-Type, Accept Access-Control-Allow-Origin: http://localhost:7147 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 28 Mar 2012 17:38:00 GMT Content-Length: 0
  51. 51. Demo http://localhost:7147/
  52. 52. Cross-Site Request Forgery (CSRF) ● How to use ASP.NET MVC anti-forgery helpers with web apis? ● Started with "Preventing CSRF with Ajax" http://haacked.com/archive/2011/10/10/preventing-csrf-withajax.aspx ● Used the "ASP.NET MVC 3 RTM Source Code" to peek into the inner workings of AntiForgery https://aspnet.codeplex.com/releases/view/58781
  53. 53. Modifications ● Controller code var inputTag = AntiForgery.GetHtml(this.HttpContext, null, null, null).ToString(); var tokenValue = Regex.Match(inputTag, "value="(.*)"").Groups[1].Value; ViewBag.RequestVerificationToken = tokenValue; ● View code $.ajaxPrefilter(function (options, originalOptions, jqXHR) { if (!options.headers) options.headers = {}; options.headers["__RequestVerificationToken"] = "@ViewBag.RequestVerificationToken"; }); ● validation not working yet, because: ○ System.Web.Http.Filters.FilterAttribute != System.Web. Mvc.FilterAttribute
  54. 54. CSRF GET http://localhost:4952/api/products/ HTTP/1.1 __RequestVerificationToken: q592rxZ1san7NwORzH0SkHp8rpIYB9IDgosSIt+/hB4hVsKUB/xsfCfsiqdStnHZ459xX+mM8VKL+IUP1CDM8jcoKv5L a1l4XszC5tz6FiIY2lVXZ+CaYytbjV2o+I0wJHyLvrpgjyzGwHHErwVv4jgDG3khJr1ibRGGJicFlWw= Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Referer: http://localhost:4952/ Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; Media Center PC 6.0; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) Host: localhost:4952 Connection: Keep-Alive Cookie: __RequestVerificationToken_Lw__ =WVJj4wvLfroG56QsHbZHNxhSZBxbsf3nN1FPsBp8AWgyyuKSr19voC8zxwl1 wu1GfI9/uqKcdf03dtVN8Izm+JkDG6/j/zhnKFyYWw8Tiqr88URDO/mOhE8edSY93ZSuALnPYeD/VS1VftEqvKbtSA7B gWxKhRddOrm5Sc9VMjk=
  55. 55. (Near?) Future
  56. 56. WebSockets ● Couldn't get SignalR working with IIS 8 and WebSockets ● Getting started with WebSockets in Windows 8 ○ http://www.paulbatum.com/2011/09/getting-started-withwebsockets-in.html ○ https://github.com/paulbatum/PushFrenzy ● Hard to peek under the covers - RFC 6455: ○ 1.7. Relationship to TCP and HTTP The WebSocket Protocol is an independent TCP-based protocol. Its only relationship to HTTP is that its handshake is interpreted by HTTP servers as an Upgrade request. http://tools.ietf.org/html/rfc6455
  57. 57. WebSockets - PushFrenzy GET http://localhost/PushFrenzy.Web/connect?nickname=IE&gamesize=2 HTTP/1.1 Origin: localhost Sec-WebSocket-Key: 9l4ov6WTcktNZhDxzofNsA== Connection: Upgrade Upgrade: Websocket Sec-WebSocket-Version: 13 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) Host: localhost Cache-Control: no-cache HTTP/1.1 101 Switching Protocols Cache-Control: private Upgrade: Websocket Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 Sec-WebSocket-Accept: 2npInS6ZLafsQdJ4EPNxraKGlpY= Connection: Upgrade X-Powered-By: ASP.NET Date: Tue, 03 Apr 2012 20:40:47 GMT
  58. 58. http://websocketstest.com/
  59. 59. WebSockets - Fiddler ● Glimpse of the future: Fiddler and HTML5 WebSockets ○ http://blogs.msdn.com/b/fiddler/archive/2011/11/22/fiddlerand-websockets.aspx ● Single Request/Response entry ● Most data appears in Log tab ● Look for these bytes in upcoming slides ○ 81 0A 63 6F 6E 6E 65 63 74 65 64 2C
  60. 60. WebSockets - Fiddler GET http://ws.websocketstest.com/service HTTP/1.1 Upgrade: websocket Connection: Upgrade Host: ws.websocketstest.com Origin: http://websocketstest.com Sec-WebSocket-Key: a05pbM96VhcorGnOP29sOw== Sec-WebSocket-Version: 13 Cookie: __utma=245398530. 78459945.1333486200.1333486200.1333486200.1; __utmb=245398530. 7.10.1333486200; __utmc=245398530; __utmz=245398530.1333486200.1.1. utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) HTTP/1.1 101 Switching Protocols Upgrade: WebSocket Connection: Upgrade Sec-WebSocket-Accept: dHDHGWWR3k2+1linxGu02hAH/00= EndTime: 16:24:34.380
  61. 61. WebSockets - Fiddler Log Start 16:22:18:9186 Upgrading Session #29 to websocket 16:22:18:9886 [WebSocket #29] Received from server 12 bytes Flags: 10000001 Message Masking: False. Data length: 10 bytes. 81 0A 63 6F 6E 6E 65 63 74 65 64 2C �.connected, 16:22:18:9886 [WebSocket #29] Received from browser 14 bytes Flags: 10000001 Message Masking: True. Data length: 8 bytes. Masking key is: 8C 07 80 8F version, 81 88 8C 07 80 8F FA 62 F2 FC E5 68 EE A3 �ˆŒ.€�úbòüåhî£ 16:22:19:0586 [WebSocket #29] Received from server 23 bytes Flags: 10000001 Message Masking: False. Data length: 21 bytes. 81 15 76 65 72 73 69 6F 6E 2C 68 79 62 69 2D 64 72 61 66 74 2D 31 33 version,hybi-draft-13
  62. 62. WebSockets - Fiddler Log End 16:24:33:5642 [WebSocket #29] Received from server 24 bytes Flags: 10000001 Message Masking: False. Data length: 22 bytes. 81 16 74 69 6D 65 2C 32 30 31 32 2F 34 2F 33 20 32 31 3A 32 32 3A 31 39 �. time,2012/4/3 21:22:19 16:24:34:3802 [WebSocket #29] OnClientReceive from browser failed; ret=0
  63. 63. WebSockets - Wireshark Capture ● Wireshark notes that this HTTP does not seem right ○ "Continuation or non-HTTP traffic"
  64. 64. WebSockets - Wireshark Capture 16:22:18:9186 Upgrading Session #29 to websocket 16:22:18:9886 [WebSocket #29] Received from server 12 bytes Flags: 10000001 Message Masking: False. Data length: 10 bytes. 81 0A 63 6F 6E 6E 65 63 74 65 64 2C connected,
  65. 65. WebSockets - Wireshark Capture
  66. 66. SPDY ● An experimental protocol for a faster web ○ http://dev.chromium.org/spdy/spdy-whitepaper ○ "application-layer protocol for transporting content over the web, designed specifically for minimal latency" ○ "TCP is the generic, reliable transport protocol, providing guaranteed delivery, duplicate suppression, in-order delivery, flow control, congestion avoidance and other transport features." ○ "HTTP is the application level protocol providing basic request/response semantics." ○ "adds a session layer atop of SSL that allows for multiple concurrent, interleaved streams over a single TCP connection"
  67. 67. SPDY - Request Changes ● First line of the request is unfolded into name/value pairs like other HTTP headers ● Duplicate header names are not allowed ● Header names are all lowercase ● The Connection and Keep-Alive headers are no longer valid and are ignored if present ● Clients assumed to support Accept-Encoding: gzip ● HTTP request headers are compressed with gzip encoding ● The "host" header is ignored as the host:port portion of the HTTP URL is the definitive host ● Content-length is only advisory for length (so that progress meters can work) ● Chunked encoding is no longer valid.
  68. 68. SPDY - Response Changes ● The response status line is unfolded into name/value pairs like other HTTP headers ● All header names must be lowercase ● The Connection and Keep-alive response headers are no longer valid ● Content-length is only advisory for length ● Chunked encoding is no longer valid ● Duplicate header names are not allowed
  69. 69. SPDY - Tools and Debugging ● New protocol = new debugging tools ○ Chrome about:net-internals
  70. 70. Questions? (and, please evaluate http://tccc.agilevent.com/)

×