Skip to content

[release/10.0] Deny unmasked frame receive for WebSocket Server #123660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
github-actions wants to merge 2 commits into
base: release/10.0
Choose a base branch
from
Open

[release/10.0] Deny unmasked frame receive for WebSocket Server #123660

github-actions wants to merge 2 commits into from
+22 −0

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Jan 27, 2026
edited by karelz
Loading

Backport of #123485 to release/10.0

/cc @liveans

Increasing RFC compliance for WebSocket

Customer Impact

RFC compliance

Regression

No

Testing

Manual verification + automated tests

Risk

Low, the change only affects non‑compliant WebSocket clients sending unmasked frames, which is explicitly disallowed by RFC 6455. No behavior change is expected for compliant clients.

MihaZupan
MihaZupan approved these changes Jan 27, 2026
View reviewed changes
Copy link
Member

@MihaZupan MihaZupan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we looked at any common WebSocket servers to see if they emit unmasked frames by any chance since that could break .NET clients?

@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jan 27, 2026

Tagging subscribers to this area: @karelz, @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

This was referenced Jan 27, 2026
Open
Open
Open
Open
Open
Open
Open
@karelz karelz added the Servicing-consider Issue for next servicing release review label Feb 3, 2026
karelz
karelz approved these changes Feb 3, 2026
View reviewed changes
Copy link
Member

@karelz karelz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RFC compliance, we should fix it

@karelz karelz added this to the 10.0.x milestone Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@karelz karelz karelz approved these changes

@MihaZupan MihaZupan MihaZupan approved these changes

Assignees

@github-actions github-actions[bot]

Labels

area-System.Net Servicing-consider Issue for next servicing release review

Projects

None yet

Milestone

10.0.x

Development

Successfully merging this pull request may close these issues.

3 participants

@karelz @MihaZupan @liveans