IETF Logo Mail Archive

Re: JSON headers

Carsten Bormann <cabo@tzi.org> Tue, 12 July 2016 06:47 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D2E112D0C8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 11 Jul 2016 23:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.208
X-Spam-Level:
X-Spam-Status: No, score=-8.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1HByCSC2IFt3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 11 Jul 2016 23:47:00 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E99512B007 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 11 Jul 2016 23:47:00 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bMrOh-0006uB-Sm for ietf-http-wg-dist@listhub.w3.org; Tue, 12 Jul 2016 06:42:23 +0000
Resent-Date: Tue, 12 Jul 2016 06:42:23 +0000
Resent-Message-Id: <E1bMrOh-0006uB-Sm@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <cabo@tzi.org>) id 1bMrOf-0006tU-14 for ietf-http-wg@listhub.w3.org; Tue, 12 Jul 2016 06:42:21 +0000
Received: from relay5-d.mail.gandi.net ([217.70.183.197]) by lisa.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <cabo@tzi.org>) id 1bMrOd-0006KC-6U for ietf-http-wg@w3.org; Tue, 12 Jul 2016 06:42:20 +0000
Received: from mfilter49-d.gandi.net (mfilter49-d.gandi.net [217.70.178.180]) by relay5-d.mail.gandi.net (Postfix) with ESMTP id C438541C089; Tue, 12 Jul 2016 08:41:56 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter49-d.gandi.net
Received: from relay5-d.mail.gandi.net ([IPv6:::ffff:217.70.183.197]) by mfilter49-d.gandi.net (mfilter49-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id b3DA_cbxgGVR; Tue, 12 Jul 2016 08:41:55 +0200 (CEST)
X-Originating-IP: 93.199.242.26
Received: from nar-3.local (p5DC7F21A.dip0.t-ipconnect.de [93.199.242.26]) (Authenticated sender: cabo@cabo.im) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 78B9A41C08D; Tue, 12 Jul 2016 08:41:53 +0200 (CEST)
Message-ID: <57849130.4060104@tzi.org>
Date: Tue, 12 Jul 2016 08:41:52 +0200
From: Carsten Bormann <cabo@tzi.org>
User-Agent: Postbox 4.0.8 (Macintosh/20151105)
MIME-Version: 1.0
To: Julian Reschke <julian.reschke@gmx.de>
CC: Willy Tarreau <w@1wt.eu>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Yanick Rochon <yanick.rochon@gmail.com>, Phil Hunt <phil.hunt@oracle.com>, HTTP Working Group <ietf-http-wg@w3.org>
References: <8251.1468229350@critter.freebsd.dk> <e9a55629-656c-3b6a-3ac4-5fb7a109b2f0@gmx.de> <8739.1468234635@critter.freebsd.dk> <38b3e7bb-3202-f489-ff15-d4d545e13ca0@gmx.de> <8854.1468236033@critter.freebsd.dk> <326f0b93-dbd5-3dfb-2a35-d1bf084684b4@gmx.de> <9221.1468245597@critter.freebsd.dk> <aa9cee9c-d8e3-17ba-9fcd-e327575cd5a8@gmx.de> <9801.1468259070@critter.freebsd.dk> <15d27f23-6b51-1e8e-3f10-194c80570424@gmx.de> <20160711190107.GB9542@1wt.eu> <0e467573-4f68-80a5-14a4-5a63b41ac4d4@gmx.de> <57841F4A.30901@tzi.org> <57e2c1b6-749f-c697-5c92-15eeb44b303b@gmx.de>
In-Reply-To: <57e2c1b6-749f-c697-5c92-15eeb44b303b@gmx.de>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-W3C-Hub-Spam-Status: No, score=-7.8
X-W3C-Hub-Spam-Report: AWL=0.849, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1bMrOd-0006KC-6U 4c276125a2e8f9d7d2b1f24d481e23f4
X-Original-To: ietf-http-wg@w3.org
Subject: Re: JSON headers
Archived-At: <http://www.w3.org/mid/57849130.4060104@tzi.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31916
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> It is allowed by the structure of the *wire format*.

The syntax indeed cannot prevent it.
It's still not *allowed* in JSON.

> The *specification* has a "SHOULD have unique names", but then, that's
> only a SHOULD (exactly because we know we can't rely on it, otherwise we
> wouldn't have the prose about what recipients can do with it).

It is a SHOULD because people were chickening out because of a possible
political conflict with ECMA 404.  Note well that no reason is given to
ever violate that SHOULD.

Now, for performance reasons, there is no requirement on a receiver to
check for this constraint.  Protocol design 101 tells us that a lack of
checking will cause implementations to emit invalid JSON just because
they can (the "soup" effect).  Hence the description in RFC 7159 what
goes wrong when you do that.  (However, the security considerations fail
to mention the check-vs-use vulnerabilities that inevitably come from
the variety in implementation strategies; the last paragraph of Section
8 of RFC 7049 does apply.)

This discussion may be a bit off-topic for the HTTP WG, but I think it
is important to understand JSON when using it in HTTP.

Grüße, Carsten

v2.23.0 | Report a Bug | By Email