faye 1.2.1 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: eef57afbc25a87bf66b990a8d204e9ac0ae02600
-  data.tar.gz: 800d06c69f2b91d2c4c9a9409b8a59fdf0b43dba
+SHA256:
+  metadata.gz: 6360fb99c07ebc88410222fab2f63fe2e01ce4ccc20b044ce1af8b9abce23a88
+  data.tar.gz: df9d35e5534ae844d428fa32a81d4c496072eb4d638231d884988a5bb6d1ea5e
 SHA512:
-  metadata.gz: 7d36d29c3944fd77ab0d9a7d753d15d61b8efd7e83e969015546a444277d55234e9b012ec789baa583f1ed42b6aedbf45bb96294f9bdde1ca10a3daad766a79e
-  data.tar.gz: 480949d3bbb1ee641bab9a3557aac31a105bba2241936edec2e600fc47296084f448d1fc05195312f8f7307bb8e2fafc9b1aa8e14519c0203613d261d5e3eaa7
+  metadata.gz: 6ab5b18b7dc99264d45a80b17890982e0b6373634b9b44c0b39d57ce5474f6e278aea0b56104f932d61b05482a17483af1ec58cb6b6a29a430c3e42b6d3d86e3
+  data.tar.gz: 131c7e89ce4f7af23e76c9c57b0ac0f63c5da58ac417991e1a381009dc5e2007eab6bf9c9bccb1a62ca1eefe1601d0b8f744f6b41fcf29f9c868bbd30f6d07b4

data/CHANGELOG.md

@@ -1,61 +1,137 @@
+### 1.3.0 / 2020-06-08
+
+- Support `user:pass@` authorization in URIs and send `Authorization` headers
+  from the Node HTTP transport
+- Support IPv6 hostnames in URIs
+- Allow credentials (cookies and `Authorization` headers) in cross-origin
+  requests, by:
+  - setting `Access-Control-Allow-Origin` to the value of the `Origin` header
+    (not `*`)
+  - enabling `Access-Control-Allow-Credentials`
+- Enable credentials when sending cross-origin requests
+- Don't disconnect WebSocket on page unload if `autodisconnect` is turned off
+- Catch errors when creating a WebSocket, which happens when Content Security
+  Policy blocks it, allowing other transports to be tried
+- Fix a bug in the client where it handles messages from other clients as though
+  they're the server's response to its own messages, based on the `id` field;
+  now we only treat messages as server responses if they contain `successful:
+  true`
+- Stop sending an empty message list `[]` from the WebSocket client as a
+  keep-alive mechanism since CometD does not accept this message
+- Fix deprecation warnings for using the `new Buffer()` constructor
+- Switch to the Apache 2.0 license
+
+
+### 1.2.5 / 2020-04-28
+
+- Fix `/meta/*` channel recognition bug in the server that enables
+  authentication bypass
+  - https://blog.jcoglan.com/2020/04/28/authentication-bypass-in-faye/
+
+
+### 1.2.4 / 2017-01-28
+
+- Fix `RackAdapter#get_client` that was failing due to a URI error
+- Define `Promise#catch` in a safe way for old browsers
+- Log errors in the Node HTTP transport
+
+
+### 1.2.3 / 2016-10-11
+
+- Return an error if the `data` field is missing on published messages
+- Fix errors that occur in the new `websocket` util when the browser does not
+  support WebSocket
+
+
+### 1.2.2 / 2016-07-18
+
+- Mitigate the HTTPoxy vulnerability: https://httpoxy.org/
+
+
 ### 1.2.1 / 2016-06-29
 
-* Fix a missing variable error in `NodeAdapter`
+- Fix a missing variable error in `NodeAdapter`
 
 
 ### 1.2.0 / 2016-06-26
 
-* Add `client.subscribe().withChannel()` to yield the message channel for wildcard subscriptions
-* Restructure the JavaScript codebase around Node modules (require/exports) rather than globals
-* Update the Promise shim to reflect the standard API, including `catch()` and `all()`
-* Support connecting to servers that use SNI in the Ruby client
-* Make the JavaScript client work inside React Native and Web Workers
-* Remove JSON2; you should import a JSON shim yourself if necessary
-* Handle errors that occur when a message is partially delivered via EventSource
-* Reject requests with invalid (non-array or -object) top-level JSON values
-* Make local client requests asynchronous to avoid re-entrant request handling errors
-* Remove `Connection: Close` from HTTP responses to allow use of keep-alive
-* Use `XMLHttpRequest` in preference to the ActiveX API in IE10
-* Fix bug where flushing large message batches puts promises in an invalid state
+- Add `client.subscribe().withChannel()` to yield the message channel for
+  wildcard subscriptions
+- Restructure the JavaScript codebase around Node modules (require/exports)
+  rather than globals
+- Update the Promise shim to reflect the standard API, including `catch()` and
+  `all()`
+- Support connecting to servers that use SNI in the Ruby client
+- Make the JavaScript client work inside React Native and Web Workers
+- Remove JSON2; you should import a JSON shim yourself if necessary
+- Handle errors that occur when a message is partially delivered via EventSource
+- Reject requests with invalid (non-array or -object) top-level JSON values
+- Make local client requests asynchronous to avoid re-entrant request handling
+  errors
+- Remove `Connection: Close` from HTTP responses to allow use of keep-alive
+- Use `XMLHttpRequest` in preference to the ActiveX API in IE10
+- Fix bug where flushing large message batches puts promises in an invalid state
+
+
+### 1.1.3 / 2020-04-28
+
+- Fix `/meta/*` channel recognition bug in the server that enables
+  authentication bypass
+  - https://blog.jcoglan.com/2020/04/28/authentication-bypass-in-faye/
 
 
 ### 1.1.2 / 2015-07-19
 
-* Allow the `Authorization` header to be used on CORS requests
-* Disallow unused methods like PUT and DELETE on CORS requests
-* Stop IE prematurely garbage-collecting `XDomainRequest` objects
-* Make sure messages can be sent if they overflow the request size limit and the outbox is empty
-* Don't send messages over WebSockets unless they are in the 'open' ready-state
-* Fix a bug preventing use of the in-process transport in Ruby
+- Allow the `Authorization` header to be used on CORS requests
+- Disallow unused methods like PUT and DELETE on CORS requests
+- Stop IE prematurely garbage-collecting `XDomainRequest` objects
+- Make sure messages can be sent if they overflow the request size limit and the
+  outbox is empty
+- Don't send messages over WebSockets unless they are in the 'open' ready-state
+- Fix a bug preventing use of the in-process transport in Ruby
 
 
 ### 1.1.1 / 2015-02-25
 
-* Make sure the client ID associated with a WebSocket is not dropped, so the socket can be closed properly
-* Handle cases where a JSON-P endpoint returns no response argument
-* Stop trying to retry messages after the client has been disconnected
-* Remove duplication of the client ID in EventSource URLs
+- Make sure the client ID associated with a WebSocket is not dropped, so the
+  socket can be closed properly
+- Handle cases where a JSON-P endpoint returns no response argument
+- Stop trying to retry messages after the client has been disconnected
+- Remove duplication of the client ID in EventSource URLs
 
 
 ### 1.1.0 / 2014-12-22
 
-* Allow the server and client to use WebSocket extensions, for example permessage-deflate
-* Support the `HTTP_PROXY` and `HTTPS_PROXY` environment variables to send all client connections through an HTTP proxy
-* Introduce the `Scheduler` API to allow the user to control message retries
-* Add the `attempts` and `deadline` options to `Client#publish()`
-* Let `RackAdapter` take a block that yields the instance, so extensions can be added to middleware
-* Allow monitoring listeners to see the `clientId` on publishd messages but still avoid sending it to subscribers
-* Return a promise from `Client#disconnect()`
-* Fix client-side retry bugs causing the client to flood the server with duplicate messages
-* Send all transport types in the `supportedConnectionTypes` handshake parameter
-* Don't close WebSockets when the client recovers from an error and sends a new `clientId`
-* Replace `cookiejar` with `tough-cookie` to avoid global variable leaks
+- Allow the server and client to use WebSocket extensions, for example
+  permessage-deflate
+- Support the `HTTP_PROXY` and `HTTPS_PROXY` environment variables to send all
+  client connections through an HTTP proxy
+- Introduce the `Scheduler` API to allow the user to control message retries
+- Add the `attempts` and `deadline` options to `Client#publish()`
+- Let `RackAdapter` take a block that yields the instance, so extensions can be
+  added to middleware
+- Allow monitoring listeners to see the `clientId` on publishd messages but
+  still avoid sending it to subscribers
+- Return a promise from `Client#disconnect()`
+- Fix client-side retry bugs causing the client to flood the server with
+  duplicate messages
+- Send all transport types in the `supportedConnectionTypes` handshake parameter
+- Don't close WebSockets when the client recovers from an error and sends a new
+  `clientId`
+- Replace `cookiejar` with `tough-cookie` to avoid global variable leaks
+
+
+### 1.0.4 / 2020-04-28
+
+- Fix `/meta/*` channel recognition bug in the server that enables
+  authentication bypass
+  - https://blog.jcoglan.com/2020/04/28/authentication-bypass-in-faye/
 
 
 ### 1.0.3 / 2014-07-08
 
-* Make some changes to JSON-P responses to mitigate the Rosetta Flash attack
-* http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
+- Make some changes to JSON-P responses to mitigate the Rosetta Flash attack
+- http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
 
 
 ### 1.0.2 -- removed due to error while publishing
@@ -63,62 +139,83 @@
 
 ### 1.0.1 / 2013-12-10
 
-* Add `Adapter#close()` method for gracefully shutting down the server
-* Fix error recover bug in WebSocket that made transport cycle through `up`/`down` state
-* Update Promise implementation to pass `promises-aplus-tests 2.0`
-* Correct some incorrect variable names in the Ruby transports
-* Make logging methods public to fix a problem on Ruby 2.1
+- Add `Adapter#close()` method for gracefully shutting down the server
+- Fix error recover bug in WebSocket that made transport cycle through
+  `up`/`down` state
+- Update Promise implementation to pass `promises-aplus-tests 2.0`
+- Correct some incorrect variable names in the Ruby transports
+- Make logging methods public to fix a problem on Ruby 2.1
 
 
 ### 1.0.0 / 2013-10-01
 
-* Client changes:
-  * Allow clients to be instantiated with URI objects rather than strings
-  * Add a `ca` option to the Node `Client` class for passing in trusted server certificates
-  * Objects supporting the `callback()` method in JavaScript are now Promises
-  * Fix protocol-relative URI parsing in the client
-  * Remove the `getClientId()` and `getState()` methods from the `Client` class
-* Transport changes:
-  * Add request-size limiting to all batching transports
-  * Make the WebSocket transport more robust against quiet network periods and clients going to sleep
-  * Support cookies across all transports when using the client on Node.js or Ruby
-  * Support custom headers in the `cross-origin-long-polling` and server-side `websocket` transports
-* Adapter changes:
-  * Support the `rack.hijack` streaming API
-  * Migrate to MultiJson for JSON handling on Ruby, allowing use of JRuby
-  * Escape U+2028 and U+2029 in JSON-P output
-  * Fix a bug stopping requests being routed when the mount point is `/`
-  * Fix various bugs that cause errors to be thrown if we try to send a message over a closed socket
-  * Remove the `listen()` method from `Adapter` in favour of using server-specific APIs
-* Server changes:
-  * Use cryptographically secure random number generators to create client IDs
-  * Allow extensions to access request properties by using 3-ary methods
-  * Objects supporting the `bind()` method now implement the full `EventEmitter` API
-  * Stop the server from forwarding the `clientId` property of published messages
-* Miscellaneous:
-  * Support Browserify by returning the client module
-  * `Faye.logger` can now be a logger object rather than a function
+- Client changes:
+  - Allow clients to be instantiated with URI objects rather than strings
+  - Add a `ca` option to the Node `Client` class for passing in trusted server
+    certificates
+  - Objects supporting the `callback()` method in JavaScript are now Promises
+  - Fix protocol-relative URI parsing in the client
+  - Remove the `getClientId()` and `getState()` methods from the `Client` class
+- Transport changes:
+  - Add request-size limiting to all batching transports
+  - Make the WebSocket transport more robust against quiet network periods and
+    clients going to sleep
+  - Support cookies across all transports when using the client on Node.js or
+    Ruby
+  - Support custom headers in the `cross-origin-long-polling` and server-side
+    `websocket` transports
+- Adapter changes:
+  - Support the `rack.hijack` streaming API
+  - Migrate to MultiJson for JSON handling on Ruby, allowing use of JRuby
+  - Escape U+2028 and U+2029 in JSON-P output
+  - Fix a bug stopping requests being routed when the mount point is `/`
+  - Fix various bugs that cause errors to be thrown if we try to send a message
+    over a closed socket
+  - Remove the `listen()` method from `Adapter` in favour of using
+    server-specific APIs
+- Server changes:
+  - Use cryptographically secure random number generators to create client IDs
+  - Allow extensions to access request properties by using 3-ary methods
+  - Objects supporting the `bind()` method now implement the full `EventEmitter`
+    API
+  - Stop the server from forwarding the `clientId` property of published
+    messages
+- Miscellaneous:
+  - Support Browserify by returning the client module
+  - `Faye.logger` can now be a logger object rather than a function
+
+
+### 0.8.11 / 2014-07-08
+
+- Make some changes to JSON-P responses to mitigate the Rosetta Flash attack
+- http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
+
+
+### 0.8.10 -- removed due to error while publishing
 
 
 ### 0.8.9 / 2013-02-26
 
-* Specify ciphers for SSL on Node to mitigate the BEAST attack
-* Mitigate increased risk of socket hang-up errors in Node v0.8.20
-* Fix race condition when processing outgoing extensions in the Node server
-* Fix problem loading the client script when using `{mount: '/'}`
-* Clean up connection objects when a WebSocket is re-used with a new clientId
-* All JavaScript code now runs in strict mode
-* Select transport on handshake, instead of on client creation to allow time for `disable()` calls
-* Do not speculatively open WebSocket/EventSource connections if they are disabled
-* Gracefully handle WebSocket messages with no data on the client side
-* Close and reconnect WebSocket when onerror is fired, not just when onclose is fired
-* Fix problem with caching of EventSource connections with stale clientIds
-* Don't parse query strings when checking if a URL is same-origin or not
+- Specify ciphers for SSL on Node to mitigate the BEAST attack
+- Mitigate increased risk of socket hang-up errors in Node v0.8.20
+- Fix race condition when processing outgoing extensions in the Node server
+- Fix problem loading the client script when using `{mount: '/'}`
+- Clean up connection objects when a WebSocket is re-used with a new clientId
+- All JavaScript code now runs in strict mode
+- Select transport on handshake, instead of on client creation to allow time for
+  `disable()` calls
+- Do not speculatively open WebSocket/EventSource connections if they are
+  disabled
+- Gracefully handle WebSocket messages with no data on the client side
+- Close and reconnect WebSocket when onerror is fired, not just when onclose is
+  fired
+- Fix problem with caching of EventSource connections with stale clientIds
+- Don't parse query strings when checking if a URL is same-origin or not
 
 
 ### 0.8.8 / 2013-01-10
 
-* Patch security hole allowing remote execution of arbitrary Server methods
+- Patch security hole allowing remote execution of arbitrary Server methods
 
 
 ### 0.8.7 -- removed due to error while publishing
@@ -126,280 +223,311 @@
 
 ### 0.8.6 / 2012-10-07
 
-* Make sure messages pushed to the client over a socket pass through outgoing extensions
+- Make sure messages pushed to the client over a socket pass through outgoing
+  extensions
 
 
 ### 0.8.5 / 2012-09-30
 
-* Fix a bug in `URI.parse()` that caused Faye endpoints to inherit search and hash from `window.location`
+- Fix a bug in `URI.parse()` that caused Faye endpoints to inherit search and
+  hash from `window.location`
 
 
 ### 0.8.4 / 2012-09-29
 
-* Optimise upgrade process so that WebSocket is tested earlier and the connection is cached
-* Check that EventSource actually works to work around broken Opera implementation
-* Emit `connection:open` and `connection:close` events from the Engine proxy
-* Increase size of client IDs from 128 to 160 bits
-* Fix bug with relative URL resolution in IE
-* Limit the JSON-P transport's message buffer so it doesn't create over-long URLs
-* Send `Pragma: no-cache` with XHR requests to guard against iOS 6 POST caching
-* Add `charset=utf-8` to response Content-Type headers
+- Optimise upgrade process so that WebSocket is tested earlier and the
+  connection is cached
+- Check that EventSource actually works to work around broken Opera
+  implementation
+- Emit `connection:open` and `connection:close` events from the Engine proxy
+- Increase size of client IDs from 128 to 160 bits
+- Fix bug with relative URL resolution in IE
+- Limit the JSON-P transport's message buffer so it doesn't create over-long
+  URLs
+- Send `Pragma: no-cache` with XHR requests to guard against iOS 6 POST caching
+- Add `charset=utf-8` to response Content-Type headers
 
 
 ### 0.8.3 / 2012-07-15
 
-* `Client#subscribe` returns an array of Subscriptions if given an array of channels
-* Allow different endpoints to be specified per-transport
-* Only use IE's `XDomainRequest` for same-protocol requests
-* Replace URL parser with one that treats relative URLs the same as the browser
-* Improve logging of malformed requests and detect problems earlier
-* Make sure socket connections are closed when a client session is timed out
-* Stop WebSocket reconnecting after `window.onbeforeunload`
+- `Client#subscribe` returns an array of Subscriptions if given an array of
+  channels
+- Allow different endpoints to be specified per-transport
+- Only use IE's `XDomainRequest` for same-protocol requests
+- Replace URL parser with one that treats relative URLs the same as the browser
+- Improve logging of malformed requests and detect problems earlier
+- Make sure socket connections are closed when a client session is timed out
+- Stop WebSocket reconnecting after `window.onbeforeunload`
 
 
 ### 0.8.2 / 2012-04-12
 
-* Fix replacement of `null` with `{}` in `copyObject()`
-* Make EventSource transport trigger `transport:up/down` events
-* Supply source map for minified JavaScript client, and include source in gem
-* Return `Content-Length: 0` for 304 responses
-* Handle pre-flight CORS requests from old versions of Safari
+- Fix replacement of `null` with `{}` in `copyObject()`
+- Make EventSource transport trigger `transport:up/down` events
+- Supply source map for minified JavaScript client, and include source in gem
+- Return `Content-Length: 0` for 304 responses
+- Handle pre-flight CORS requests from old versions of Safari
 
 
 ### 0.8.1 / 2012-03-15
 
-* Make `Publisher#trigger` safe for event listeners that modify the listener list
-* Make `Server#subscribe` return a response if the incoming message has an error
-* Fix edge case in code that identifies the `clientId` of socket connections
-* Return `Content-Length` headers for HTTP responses
-* Don't send empty lists of messages from the WebSocket transport
-* Stop client sending multiple `/meta/subscribe` messages for subscriptions made before handshaking
-* Stop client treating incoming published messages as responses to `/meta/*` messages
+- Make `Publisher#trigger` safe for event listeners that modify the listener
+  list
+- Make `Server#subscribe` return a response if the incoming message has an error
+- Fix edge case in code that identifies the `clientId` of socket connections
+- Return `Content-Length` headers for HTTP responses
+- Don't send empty lists of messages from the WebSocket transport
+- Stop client sending multiple `/meta/subscribe` messages for subscriptions made
+  before handshaking
+- Stop client treating incoming published messages as responses to `/meta/*`
+  messages
 
 
 ### 0.8.0 / 2012-02-26
 
-* Extract the Redis engine into a separate library, `faye-redis`
-* Stabilize and document the Engine API so others can write backends
-* Extract WebSocket and EventSource tools into a separate library, `faye-websocket`
-* Improve use of WebSocket so messages are immediately pushed rather than polling
-* Introduce new EventSource-based transport, for proxies that block WebSocket
-* Support the Rainbows and Goliath web servers for Ruby, same as `faye-websocket`
-* Improve detection of network errors and switch to fixed-interval for reconnecting
-* Add `setHeader()` method to Client (e.g. for connecting to Salesforce API)
-* Add `timeout()` method to `Faye.Deferrable` to match `EventMachine::Deferrable`
-* Fix some bugs in client-side message handlers created with `subscribe()`
-* Improve speed and memory consumption of `copyObject()`
-* Switch from JSON to Yajl for JSON parsing in Ruby
+- Extract the Redis engine into a separate library, `faye-redis`
+- Stabilize and document the Engine API so others can write backends
+- Extract WebSocket and EventSource tools into a separate library,
+  `faye-websocket`
+- Improve use of WebSocket so messages are immediately pushed rather than
+  polling
+- Introduce new EventSource-based transport, for proxies that block WebSocket
+- Support the Rainbows and Goliath web servers for Ruby, same as
+  `faye-websocket`
+- Improve detection of network errors and switch to fixed-interval for
+  reconnecting
+- Add `setHeader()` method to Client (e.g. for connecting to Salesforce API)
+- Add `timeout()` method to `Faye.Deferrable` to match
+  `EventMachine::Deferrable`
+- Fix some bugs in client-side message handlers created with `subscribe()`
+- Improve speed and memory consumption of `copyObject()`
+- Switch from JSON to Yajl for JSON parsing in Ruby
+
+
+### 0.7.2 / 2013-01-10
+
+- Patch security hole allowing remote execution of arbitrary Server methods
 
 
 ### 0.7.1 / 2011-12-22
 
-* Extension `added()` and `removed()` methods now receive the extended object
-* Detection of WebSockets in RackAdapter is more strict
+- Extension `added()` and `removed()` methods now receive the extended object
+- Detection of WebSockets in RackAdapter is more strict
 
 
 ### 0.7.0 / 2011-11-22
 
-* Provide an event API for monitoring engine events on the server side
-* Implement server-side WebSocket connections for improved latency
-* Fix WebSocket protocol bugs and expose APIs for developers to use
-* Make server-side HTTP transports support SSL and cookies
-* Allow clients to disable selected transports and autodisconnection
-* Add callback/errback API to `Client#publish()` interface
-* Add `socket` setting for the Redis engine for connecting through a Unix socket
+- Provide an event API for monitoring engine events on the server side
+- Implement server-side WebSocket connections for improved latency
+- Fix WebSocket protocol bugs and expose APIs for developers to use
+- Make server-side HTTP transports support SSL and cookies
+- Allow clients to disable selected transports and autodisconnection
+- Add callback/errback API to `Client#publish()` interface
+- Add `socket` setting for the Redis engine for connecting through a Unix socket
+
+
+### 0.6.8 / 2013-01-10
+
+- Patch security hole allowing remote execution of arbitrary Server methods
 
 
 ### 0.6.7 / 2011-10-20
 
-* Cache client script in memory and add `ETag` and `Last-Modified` headers
-* Fix bug in Node Redis engine where `undefined` was used if no namespace given
-* Flush Redis message queues using a transaction to avoid re-delivery of messages
-* Fix race condition and timing errors present in Redis locking code
-* Use `Cache-Control: no-cache, no-store` on JSON-P responses
-* Improvements to the CORS and JSON-P transports
-* Prevent retry handlers in transports from being invoked multiple times
-* Use the current page protocol by default when parsing relative URIs
+- Cache client script in memory and add `ETag` and `Last-Modified` headers
+- Fix bug in Node Redis engine where `undefined` was used if no namespace given
+- Flush Redis message queues using a transaction to avoid re-delivery of
+  messages
+- Fix race condition and timing errors present in Redis locking code
+- Use `Cache-Control: no-cache, no-store` on JSON-P responses
+- Improvements to the CORS and JSON-P transports
+- Prevent retry handlers in transports from being invoked multiple times
+- Use the current page protocol by default when parsing relative URIs
 
 
 ### 0.6.6 / 2011-09-12
 
-* Add `:key` and `:cert` options to the `Adapter#listen` methods for setting up SSL
-* Fix error detection of CORS transport in IE9 running IE8 compatibility mode
-* Fix dependency versions so that Rubygems lets Faye install
+- Add `:key` and `:cert` options to the `Adapter#listen` methods for setting up
+  SSL
+- Fix error detection of CORS transport in IE9 running IE8 compatibility mode
+- Fix dependency versions so that Rubygems lets Faye install
 
 
 ### 0.6.5 / 2011-08-29
 
-* Fix UTF-8 encoding bugs in draft-75/76 and protocol-8 WebSocket parsers
-* Switch to streaming parser for WebSocket protocol-8
-* Remove an `SREM` operation that shouldn't have been in the Redis engine
-* Move `thin_extensions.rb` so it's not on the Rubygems load path
+- Fix UTF-8 encoding bugs in draft-75/76 and protocol-8 WebSocket parsers
+- Switch to streaming parser for WebSocket protocol-8
+- Remove an `SREM` operation that shouldn't have been in the Redis engine
+- Move `thin_extensions.rb` so it's not on the Rubygems load path
 
 
 ### 0.6.4 / 2011-08-18
 
-* Support WebSocket protocol used by Chrome 14 and Firefox 6
-* Fix handling of multibyte characters in WebSocket messages on Node
-* Improve message routing in Node memory engine to avoid false duplicates
+- Support WebSocket protocol used by Chrome 14 and Firefox 6
+- Fix handling of multibyte characters in WebSocket messages on Node
+- Improve message routing in Node memory engine to avoid false duplicates
 
 
 ### 0.6.3 / 2011-07-10
 
-* Use sequential message IDs to reduce memory usage on the client side
-* Only send advice with handshake and connect responses
-* Stop trying to publish `/meta/*` messages - no-one is listening and it breaks `/**`
-* Fix bug causing invalid listeners to appear after a client reconnection
-* Stop loading `rubygems` within our library code
-* Make sure we only queue a message for each client once in the Redis engine
-* Use lists instead of sets for message queues in Redis
-* Improve clean-up of expired clients in Redis engine
+- Use sequential message IDs to reduce memory usage on the client side
+- Only send advice with handshake and connect responses
+- Stop trying to publish `/meta/*` messages - no-one is listening and it breaks
+  `/**`
+- Fix bug causing invalid listeners to appear after a client reconnection
+- Stop loading `rubygems` within our library code
+- Make sure we only queue a message for each client once in the Redis engine
+- Use lists instead of sets for message queues in Redis
+- Improve clean-up of expired clients in Redis engine
 
 
 ### 0.6.2 / 2011-06-19
 
-* Add authentication, database selection and namespacing to Redis engine
-* Clean up all client data when removing clients from Redis
-* Fix `cross-origin-long-polling` for `OPTIONS`-aware browsers
-* Update secure WebSocket detection for recent Node versions
-* Reinstate `faye.client` field in Rack environment
+- Add authentication, database selection and namespacing to Redis engine
+- Clean up all client data when removing clients from Redis
+- Fix `cross-origin-long-polling` for `OPTIONS`-aware browsers
+- Update secure WebSocket detection for recent Node versions
+- Reinstate `faye.client` field in Rack environment
 
 
 ### 0.6.1 / 2011-06-06
 
-* Fix `cross-origin-long-polling` support in `RackAdapter`
-* Plug some potential memory leaks in `Memory` engine
+- Fix `cross-origin-long-polling` support in `RackAdapter`
+- Plug some potential memory leaks in `Memory` engine
 
 
 ### 0.6.0 / 2011-05-21
 
-* Extract core logic into the `Engine` class to support swappable backends
-* Introduce a Redis-backed engine to support clustered web front-ends
-* Use CORS for `cross-domain long-polling`
-* Make server more resilient against bad requests, including empty message lists
-* Perform subscription validation on the server and use errbacks to signal errors
-* Prohibit publishing to wildcard channels
-* Unsubscribing from a channel is now O(1) instead of O(N)
-* Much more thorough and consistent unit test coverage of both versions
-* Automatic integration tests using Terminus and TestSwarm
+- Extract core logic into the `Engine` class to support swappable backends
+- Introduce a Redis-backed engine to support clustered web front-ends
+- Use CORS for `cross-domain long-polling`
+- Make server more resilient against bad requests, including empty message lists
+- Perform subscription validation on the server and use errbacks to signal
+  errors
+- Prohibit publishing to wildcard channels
+- Unsubscribing from a channel is now O(1) instead of O(N)
+- Much more thorough and consistent unit test coverage of both versions
+- Automatic integration tests using Terminus and TestSwarm
 
 
 ### 0.5.5 / 2011-01-16
 
-* Open a real socket to check for WebSocket usability, not just object detection
-* Catch server-side errors when handshaking with WebSockets
+- Open a real socket to check for WebSocket usability, not just object detection
+- Catch server-side errors when handshaking with WebSockets
 
 
 ### 0.5.4 / 2010-12-19
 
-* Add a `#callback` method to `Subscriptions` to detect when they become active
-* Add `:extensions` option to `RackAdapter` to make it easier to extend middleware
-* Detect secure WebSocket requests through the `HTTP_X_FORWARDED_PROTO` header
-* Handle socket errors when sending WebSocket messages from `NodeAdapter`
-* Use exponential backoff to reconnect client-side WebSockets to reduce CPU load
+- Add a `#callback` method to `Subscriptions` to detect when they become active
+- Add `:extensions` option to `RackAdapter` to make it easier to extend
+  middleware
+- Detect secure WebSocket requests through the `HTTP_X_FORWARDED_PROTO` header
+- Handle socket errors when sending WebSocket messages from `NodeAdapter`
+- Use exponential backoff to reconnect client-side WebSockets to reduce CPU load
 
 
 ### 0.5.3 / 2010-10-21
 
-* Improve detection of `wss:` requirement for secure WebSocket connections
-* Correctly use default ports (80,443) for server-side HTTP connections
-* Support legacy `application/x-www-form-urlencoded` POST requests
-* Delete unused Channel objects that have all their subscribers removed
-* Fix resend/reconnect logic in WebSocket transport
-* Keep client script in memory rather than reading it from disk every time
-* Prevent error-adding extensions from breaking the core protocol
+- Improve detection of `wss:` requirement for secure WebSocket connections
+- Correctly use default ports (80,443) for server-side HTTP connections
+- Support legacy `application/x-www-form-urlencoded` POST requests
+- Delete unused Channel objects that have all their subscribers removed
+- Fix resend/reconnect logic in WebSocket transport
+- Keep client script in memory rather than reading it from disk every time
+- Prevent error-adding extensions from breaking the core protocol
 
 
 ### 0.5.2 / 2010-08-12
 
-* Support draft-76 of the WebSocket protocol (FF4, Chrome 6)
-* Reduce `Connection::MAX_DELAY` to improve latency
+- Support draft-76 of the WebSocket protocol (FF4, Chrome 6)
+- Reduce `Connection::MAX_DELAY` to improve latency
 
 
 ### 0.5.1 / 2010-07-21
 
-* Fix a publishing problem in Ruby `LocalTransport`
+- Fix a publishing problem in Ruby `LocalTransport`
 
 
 ### 0.5.0 / 2010-07-17 
 
-* Handle multiple event listeners bound to a channel
-* Add extension system for adding domain-specific logic to the protocol
-* Improve handling of client reconnections if the server goes down
-* Change default polling interval to 0 (immediate reconnect)
-* Add support for WebSockets (draft75 only) as a network transport
-* Remove support for Ruby servers other than Thin
-* Make client and server compatible with CometD (1.x and 2.0) components
-* Improve clean-up of unused server-side connections
-* Change Node API for adding Faye service to an HTTP server
+- Handle multiple event listeners bound to a channel
+- Add extension system for adding domain-specific logic to the protocol
+- Improve handling of client reconnections if the server goes down
+- Change default polling interval to 0 (immediate reconnect)
+- Add support for WebSockets (draft75 only) as a network transport
+- Remove support for Ruby servers other than Thin
+- Make client and server compatible with CometD (1.x and 2.0) components
+- Improve clean-up of unused server-side connections
+- Change Node API for adding Faye service to an HTTP server
 
 
 ### 0.3.4 / 2010-06-20
 
-* Stop local clients going into an infinite loop if a subscription block causes a reconnect
+- Stop local clients going into an infinite loop if a subscription block causes
+  a reconnect
 
 
 ### 0.3.3 / 2010-06-07
 
-* Bring Node APIs up to date with 0.1.97
-* Catch `ECONNREFUSED` errors in Node clients to withstand server outages
-* Refactor the `Server` internals
+- Bring Node APIs up to date with 0.1.97
+- Catch `ECONNREFUSED` errors in Node clients to withstand server outages
+- Refactor the `Server` internals
 
 
 ### 0.3.2 / 2010-04-04
 
-* Fix problems with JSON serialization when Prototype, MooTools present
-* Make the client reconnect if it doesn't hear from the server after a timeout
-* Stop JavaScript server returning `NaN` for `advice.interval`
-* Make Ruby server return an integer for `advice.interval`
-* Ensure EventMachine is running before handling messages
-* Handle `data` and `end` events properly in Node HTTP API
-* Switch to `application/json` for content types and stop using querystring format in POST bodies
-* Respond to any URL path under the mount point, not just the exact match
+- Fix problems with JSON serialization when Prototype, MooTools present
+- Make the client reconnect if it doesn't hear from the server after a timeout
+- Stop JavaScript server returning `NaN` for `advice.interval`
+- Make Ruby server return an integer for `advice.interval`
+- Ensure EventMachine is running before handling messages
+- Handle `data` and `end` events properly in Node HTTP API
+- Switch to `application/json` for content types and stop using querystring
+  format in POST bodies
+- Respond to any URL path under the mount point, not just the exact match
 
 
 ### 0.3.1 / 2010-03-09
 
-* Pass client down through Rack stack as `env['faye.client']`
-* Refactor some JavaScript internals to mirror Ruby codebase
+- Pass client down through Rack stack as `env['faye.client']`
+- Refactor some JavaScript internals to mirror Ruby codebase
 
 
 ### 0.3.0 / 2010-03-01
 
-* Add server-side clients for Node.js and Ruby environments
-* Clients support both HTTP and in-process transports
-* Fix ID generation in JavaScript version to 128-bit IDs
-* Fix bug in interpretation of `**` channel wildcard
-* Users don't have to call `#connect()` on clients any more
-* Fix timeout race conditions that were killing active connections
-* Support new Node APIs from 0.1.29.
+- Add server-side clients for Node.js and Ruby environments
+- Clients support both HTTP and in-process transports
+- Fix ID generation in JavaScript version to 128-bit IDs
+- Fix bug in interpretation of `**` channel wildcard
+- Users don't have to call `#connect()` on clients any more
+- Fix timeout race conditions that were killing active connections
+- Support new Node APIs from 0.1.29.
 
 
 ### 0.2.2 / 2010-02-10
 
-* Kick out requests with malformed JSON as 400s
+- Kick out requests with malformed JSON as 400s
 
 
 ### 0.2.1 / 2010-02-04
 
-* Fix server-side flushing of callback-polling connections
-* Backend can be used cross-domain if running on Node or Thin
+- Fix server-side flushing of callback-polling connections
+- Backend can be used cross-domain if running on Node or Thin
 
 
 ### 0.2.0 / 2010-02-02
 
-* Port server to JavaScript with an adapter for Node.js
-* Support Thin's async responses in the Ruby version for complete non-blocking
-* Fix some minor client-side bugs in transport choice
+- Port server to JavaScript with an adapter for Node.js
+- Support Thin's async responses in the Ruby version for complete non-blocking
+- Fix some minor client-side bugs in transport choice
 
 
 ### 0.1.1 / 2009-07-26
 
-* Fix a broken client build
+- Fix a broken client build
 
 
 ### 0.1.0 / 2009-06-15
 
-* Ruby Bayeux server and Rack adapter
-* Internally evented using EventMachine, web frontend blocks
-* JavaScript client with `long-polling` and `callback-polling`
+- Ruby Bayeux server and Rack adapter
+- Internally evented using EventMachine, web frontend blocks
+- JavaScript client with `long-polling` and `callback-polling`