This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AV blocks server-sent events (SSE) on Mac OS X Yosemite

This took me a long time to figure out, so I'm posting here in the hopes that Google searches save the next vicitim, or that Sophos can do a fix.

I was testing a website with Server-Sent Events, i.e. EventSource events sent from a CGI script to my browser. Everything worked fine when both the server and browser was on my computer.  But when I tried to connect to the production browser, I was unable to recieve events; all browsers simply hung.  

After some testing, I realized it was Sophos.  Specifically, turning off "General / Web Protection / Block Malicious Downloads.." fixed the problem.

Sophos needs to be fixed so that it does not do blocking read/write of HTTP data with stream headers with

   Content-Type: text/event-stream

I'm not sure how it's blocking; it might be due to internal buffering sizes being too big or some other problem.

Here's a test site:

http://neutrino.otterbein.edu/~tagg/streamtest/test.cgi

This SHOULD print the time four times immediately, then print the time every 5 seconds thereafter. 

And here's the code sending it:

#!/usr/bin/perl -w
use IO::Handle qw( );  # For flush
use Time::HiRes qw(usleep nanosleep gettimeofday);

print "Content-Type: text/event-stream\r\n";
print "Cache-Control: no-cache\r\n";
print "\r\n";

print "data: " . localtime() . "\n\n";STDOUT->flush();

print "data: " . localtime() . "\n\n";STDOUT->flush();

print "data: " . localtime() . "\n\n";STDOUT->flush();

print "data: " . localtime() . "\n\n";STDOUT->flush();


while(1) {

  sleep(5);
print "data: " . localtime . "\n\n";
STDOUT->flush();

Since I have users who I know use Sophos, I would be really happy if this could be fixed ASAP. Thanks!

:1021268


This thread was automatically locked due to age.
Parents
  • Yes, you're right.  SSE events are blocked by the "Block malicious downloads" feature of Sophos Anti-Virus.

    Our scanner needs the entire response, so we must wait until the HTTP response is complete before allowing the browser to see it.  SSE works incrementally, and the response may never complete.

    We have explicit support for bypassing scanning of streaming audio and some video sites.  While we could allow immediate access to 'text/event-stream' content as you suggest, this needs careful consideration and work to ensure that it doesn't compromise the security of our customers.  I will raise a ticket to propose adding support for SSE to a future release.

    I'll point out that Long Polling and WebSockets are alternatives to SSE, and both should work just fine with our web protection feature.

    :1021280
Reply
  • Yes, you're right.  SSE events are blocked by the "Block malicious downloads" feature of Sophos Anti-Virus.

    Our scanner needs the entire response, so we must wait until the HTTP response is complete before allowing the browser to see it.  SSE works incrementally, and the response may never complete.

    We have explicit support for bypassing scanning of streaming audio and some video sites.  While we could allow immediate access to 'text/event-stream' content as you suggest, this needs careful consideration and work to ensure that it doesn't compromise the security of our customers.  I will raise a ticket to propose adding support for SSE to a future release.

    I'll point out that Long Polling and WebSockets are alternatives to SSE, and both should work just fine with our web protection feature.

    :1021280
Children