Way back in 2008, my friend Jack Moffitt wrote a blog post entitled XMPP Is Better With BOSH. In those ancient days of long polling, BOSH was the state of the art for sending XMPP traffic over an HTTP transport because we needed something like the Comet model for bidirectional communication over HTTP. Even at the time, we knew it was an ugly and temporary hack to send multiple HTTP request-response pairs via long polling, but we didn't have anything better.
Since then, bidirectional communication between web browser and web service has come a long way, thanks to WebSocket. Nowadays, you start with an HTTP connection but use the HTTP UPGRADE method to bootstrap directly into a long-lived bidirectional session (for this reason, WebSocket has been likened to "TCP for the web"). WebSocket has its warts too, but compared to BOSH it significantly reduces the overhead of maintaining HTTP-based connections for XMPP. Even better, it has become a truly standard foundation for building real-time web apps, with support in all the modern languages and frameworks for web development.
The benefits of communicating XMPP over WebSocket encompass and extend the ones that Jack enumerated years ago for BOSH:
- Greater resilience in the face of unreliable networks — here WebSocket does pretty much what BOSH and other "Comet" approaches did 10 years ago, but in a more network-friendly way by removing the need for long polling.
- The ability to recover from data loss — the BOSH model of recovering from network outages and communication glitches was generalized with the XMPP stream management extension, this can be used with XMPP over WebSocket, too.
- Compression for free — well, it turns out that the free compression we got by sending XMPP over HTTP wasn't so free after all (cf. the CRIME and BREACH attacks), but there's a native compression scheme for WebSocket which so far appears to avoid the security problems that emerged with application-layer compression in HTTP.
- Firewall friendliness — in this case WebSocket isn't quite as network-agnostic as BOSH, since it's known that some mobile networks especially prevent WebSocket from working well (usually because they don't handle the HTTP UPGRADE mechanism very well). Hopefully that will improve over time, but in the meantime we can always fall back to BOSH if needed.
Thanks in large measure to the dedication of yeti Lance Stout and key contributions from Jack as well as Eric Cestari, the XMPP over WebSocket spec has just been published as RFC 7395. This technology is a big factor in our long-term efforts to help XMPP love the web, and we're already using it extensively in the next generation of Talky, in stanza.io, and more generally in the Otalk platform we're building as a more open foundation for realtime communications.