Re: New Version Notification for draft-nottingham-site-wide-headers-01.txt

Mark Nottingham <> Thu, 24 November 2016 10:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2966C129FBB for <>; Thu, 24 Nov 2016 02:15:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.398
X-Spam-Status: No, score=-8.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A5fKaLO2ErJg for <>; Thu, 24 Nov 2016 02:15:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 325A8129FC6 for <>; Thu, 24 Nov 2016 02:15:01 -0800 (PST)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1c9qzW-00024e-Oq for; Thu, 24 Nov 2016 10:10:54 +0000
Resent-Date: Thu, 24 Nov 2016 10:10:54 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1c9qzP-000226-3k for; Thu, 24 Nov 2016 10:10:47 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <>) id 1c9qzI-0005cU-Sd for; Thu, 24 Nov 2016 10:10:41 +0000
Received: from [] (unknown []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 4620C22E259; Thu, 24 Nov 2016 05:10:16 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
From: Mark Nottingham <>
In-Reply-To: <>
Date: Thu, 24 Nov 2016 21:10:13 +1100
Cc: HTTP Working Group <>, "Emily Stark (Dunn)" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Mike West <>
X-Mailer: Apple Mail (2.3251)
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-8.1
X-W3C-Hub-Spam-Report: AWL=1.543, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1c9qzI-0005cU-Sd 3970ccd1272758fdc422f7c99611114a
Subject: Re: New Version Notification for draft-nottingham-site-wide-headers-01.txt
Archived-At: <>
X-Mailing-List: <> archive/latest/32993
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

One other thing --

If we take an approach that doesn't allow fallback to headers for new features, it's going to be important to get broad buy-in from implementers. Otherwise, it'll raise the friction for those new features.

For example, if Expect-CT were to adopt it, and browsers were now required to make an extra fetch to implement the spec, some might not like that, and resist implementing it.

This has been the case when we've discussed similar approaches in the past; the extra fetch -- even when not on the critical path -- adds friction. If that's changed, it's great news -- but we should verify that.


> On 24 Nov. 2016, at 8:33 pm, Mike West <> wrote:
> On Thu, Nov 24, 2016 at 3:28 AM, Mark Nottingham <> wrote:
> FYI, updated draft.
> Prettier (and latest) version available at:
> Thanks for the update, Mark! It seems like we agree on broad strokes: a well-known resource defines a set of things for an origin. Clients can preemptively grab that resource, or a server can push it down. I'm confident in that model, and I expect we'll be able to work out the details. :)
> I talked to a number of folks about this in Seoul, and it seems like some potential implementers have a preference for a header-based approach, rather than creating a JSON data structure with semantics that diverge from headers.
> This is my gut feeling too, but it could be that they were agreeing with me because I was there. Another approach is suggested by Mike West here:
> The differences between our proposals seems to boil down to how we wish to model the "things" that are defined for an origin. The "site-wide headers" proposal runs with the status quo, HTTP-based approach of response headers that have origin-wide impact, and standardizes a mechanism of distinguishing those headers in the future. The "origin policy" proposal seems like a superset of that approach, allowing legacy headers to be pinned origin-wide, while also making room for policy definition in a non-resource-specific way. That seems like a better long-term model to me.
> Historically, response headers have been the most convenient way of establishing origin-wide policy, because they exist and developers can easily poke at them. It's easier to alter application code to send a new `Strict-Transport-Security` header rather than, for instance, altering an HTTP server to send new data as part of a TLS handshake. The mental model, however, is muddled at best, elevating any arbitrary resource to govern the entire origin.
> The site-wide headers proposal extends this pattern, envisioning a future where we have a few legacy site-wide headers with strange names, and more modern site-wide headers with a `site-` prefix. Any arbitrary response may still exercise control over the site, and each new feature must be modeled as a response header. I'd prefer to avoid both of these implications.
> In fact, I'd suggest that both of our proposals implicitly recognize this as folly, and choose instead to endow _only_ a particular resource with origin-wide authority. Neither proposal uses that resource's response headers to set the policy, but instead the resource's content. I think we're only talking about headers at all because of historical precedent, and I'd be pretty happy limiting origin-policy's header-based mechanism to something like the list in (probably with some additions for headers whose ship has sailed, like Emily's `Referrer-Policy`).
> I'm happy with that legacy behavior for things like CSP, because `Content-Security-Policy` is quite explicitly a resource-specific header with resource-specific implications. Modeling it as part of a particular response (even if it's set on an origin-wide basis) seems reasonable: the developer is claiming "Each of the resources on this origin will have a policy something like this, but they might differ a bit." `Referrer-Policy` and `Access-Control-Allow-Origin` are similarly resource-specific. The origin policy proposal tries to recognize this by giving explicit "baseline" or "fallback" options for overrides ( (regardless of the approach we take to headers, this bit seems critical to me)).
> I'd contrast that legacy behavior with something like the `cors-preflight` controls sketched out in Things like this don't make much sense to me as an HTTP response header for any particular resource, nor could they reasonably differ between resources. The origin's owner is making declarations about the way Fetch ought to work for the origin at large, independent of any particular response. I'd very much prefer not being forced to model it as a `site-cors-preflight: whatever` header. Likewise, I'd much prefer to suggest to Future Emily that she define a new `certificate-transparency` member in an origin's policy manifest rather than a new `Site-CT` header.
> -mike

Mark Nottingham