Flash and Java, having been well designed, do not suffer this attack. Shouldn’t you also disable Java and Flash as well? December 8th, 2010 at 18:00 Sign up for the Mozilla Developer Newsletter: articles by Chris Heilmann… Discover great resources for web development.Making the whole world upgrade and patch a final browser is almost impossible which is why it makes sense to test and patch in betas and nightlies. The great thing about our situation right now is that we can react quickly and swiftly to any issues arising and fix them before our end users are the ones who suffer. Whenever you push the boundaries of any technology you will run into issues. Right now we are pushing the boundaries of what browsers can do for their users – this is what HTML5 is about. Mozilla is still excited about what WebSocket offers and we’re working hard with the IETF on a new WebSocket protocol. If your code does proper object detection nothing should go wrong – when a user doesn’t have Websocket enabled the window.WebSocket property will not be available. The code will remain in the tree to help development, but will only be activated when a developer sets a hidden preference in Firefox (the same applies to Opera). Once we have a version of the protocol that we feel is secure and stable, we will include it in a release of Firefox – even a minor update release. Right now, your Websocket solutions will not work in Firefox 4 final. We are confident that other browser developers will follow.
Anne van Kesteren of Opera also announced that Opera are dropping Websocket support. Beta 8 of Firefox 4 will remove that support. Beta 7 of Firefox has support for the -76 version of the protocol, the same version that’s included with Chrome and Safari. That’s why we’ve decided to disable support for WebSocket in Firefox 4, starting with beta 8 due to a protocol-level security issue. No Websocket support in Firefox 4 and Opera until the security issues are fixed To avoid a lot of malware showing up without being easily traceable we need to fix the protocol. Google would not be to blame and it would be hard for you to trace where the file is from as it will not be on your server. In a web environment that could for example mean that a widely used JavaScript file – like Google analytics – could be replaced on a cache you go through with a malware file. The protocol vulnerabilities also affect Java and Flash solutions. This is a serious threat to the Internet and Websocket and not a browser specific issue. Adam Barth demonstrated some serious attacks against the protocol that could be used by an attacker to poison caches that sit in between the browser and the Internet. Recent discoveries found that the protocol that Websocket works with is vulnerable to attacks.