掩码用于给客户端到服务端的帧数据加密(异或的方式,非常简单),对此RFC6455中给了一些细节如下:
The masking key is contained completely within the frame, as defined in Section 5.2 as frame-masking-key. It is used to mask the "Payload data" defined in the same section as frame-payload-data, which includes "Extension data" and "Application data".
我们看到,这个写的很清楚,掩码是给 payload 进行加密用的,这个位置会产生一个误解,就是,如果我没有 payload 的时候,是不是可以不需要掩码?比如一个 ping 帧,不带任何数据是否不需要mask?
答案是否定的!
协议中有这么一段话:
In the WebSocket Protocol, data is transmitted using a sequence of frames. To avoid confusing network intermediaries (such as intercepting proxies) and for security reasons that are further discussed in Section 10.3, a client MUST mask all frames that it sends to the server (see Section 5.3 for further details). (Note that masking is done whether or not the WebSocket Protocol is running over TLS.) The server MUST close the connection upon receiving a frame that is not masked. In this case, a server MAY send a Close frame with a status code of 1002 (protocol error) as defined in Section 7.4.1. A server MUST NOT mask any frames that it sends to the client. A client MUST close a connection if it detects a masked frame. In this case, it MAY use the status code 1002 (protocol error) as defined in Section 7.4.1. (These rules might be relaxed in a future specification.)
这段明确说了,客户端发送到服务器的所有帧都必须有掩码,而服务器发送到客户端的所有帧都必须没有掩码。如果违背了这个规则,就必须以1002错误关闭连接。
因此,你可以看到客户端发送到服务器的ping,实际上是带了掩码的,哪怕这个ping没有任何payload 数据。
