Google company to the implementation of the new API in Chrome , which allows web applications to establish direct network connections using the TCP and UDP protocols. In 2015, an attempt was already made by the W3C to standardize the API "β, but the members of the working group did not reach a consensus and the development of this API was stopped.
The need to add a new API is explained by providing the ability to interact with network devices that use their own protocols that run on top of TCP and UDP and do not support interaction via HTTPS or WebSockets. It is noted that the Raw Sockets API will complement the low-level WebUSB, WebMIDI and WebBluetooth APIs already in the browser that allow you to interact with local devices.
To avoid any negative security impact, the Raw Sockets API will only allow network requests initiated with the consent of the user and limited to the list of hosts allowed by the user. The user will have to explicitly confirm the first connection attempt to the new host. Using a special flag, the user will be able to disable the output of repeated requests for confirmation of the operation when reconnecting to the same host. To prevent DDoS attacks, the intensity of accesses through Raw Sockets will be limited, and sending requests is possible only after the user has interacted with the page. UDP packets received from hosts not approved by the user will be ignored and will not reach the web application.
The initial implementation does not provide for the creation of listening sockets, but in the future it is possible to provide calls to accept incoming connections from localhost or a list of known hosts. It also mentions the need to protect against attacks "β (an attacker can change the IP address for a user-approved domain name at the DNS level and gain access to other hosts). Access to domains resolving to 127.0.0.0/8 and the intranet is planned to be blocked (requests to localhost are proposed to be allowed only if you explicitly enter the IP address in the confirmation form).
Among the risks that may arise when implementing a new API is its possible rejection by manufacturers of other browsers, which can lead to compatibility issues. Developers of Mozilla Gecko and WebKit engines so far its position on the possible implementation of the Raw Sockets API, but Mozilla has already proposed for the Firefox OS (B2G) project . If approved at the first stage, the Raw Sockets API is planned to be activated on Chrome OS, and only then offered to Chrome users on other systems.
web developers gave feedback on the new API and many new ideas about its application in areas where the XMLHttpRequest, WebSocket and WebRTC APIs are not enough (from creating browser clients for SSH, RDP, IMAP, SMTP, IRC and print protocols to developing distributed P2P systems with DHT (Distributed Hash Table), IPFS support and interaction with specific protocols of IoT devices).
Source: opennet.ru