IETF Logo Mail Archive

Re: draft-ietf-httpbis-replay-03, "5.1. The Early-Data Header Field"

Mark Nottingham <mnot@mnot.net> Tue, 15 May 2018 10:25 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 435D312D868 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 15 May 2018 03:25:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.75
X-Spam-Level:
X-Spam-Status: No, score=-7.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=EazHtZvZ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=iZdiwFq9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A_japNTrtjkp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 15 May 2018 03:25:27 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BAA112EB01 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 15 May 2018 03:25:27 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1fIX2n-0006y5-H2 for ietf-http-wg-dist@listhub.w3.org; Tue, 15 May 2018 10:18:57 +0000
Resent-Date: Tue, 15 May 2018 10:18:57 +0000
Resent-Message-Id: <E1fIX2n-0006y5-H2@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <mnot@mnot.net>) id 1fIX2e-0006xJ-Lm for ietf-http-wg@listhub.w3.org; Tue, 15 May 2018 10:18:48 +0000
Received: from out2-smtp.messagingengine.com ([66.111.4.26]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <mnot@mnot.net>) id 1fIX2a-0007op-Ci for ietf-http-wg@w3.org; Tue, 15 May 2018 10:18:47 +0000
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 2C11A21DF6; Tue, 15 May 2018 06:18:24 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Tue, 15 May 2018 06:18:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=FnOxvCGUSBnCc/nKEtHqqlackzV7B jgauDUp/xxxfuM=; b=EazHtZvZ/9L3lRPDh9hBEh87d0veVoynt0MvtHsvw2Hkw uSnUBrwTa3bFyCkTgcZ08yQx4LpHEu7ysC3BI0tRSneDGoVdxa5j1oOqGBliPn/D vqCJHR/TZ2NuLpkL2zHSg76ZU42uokBripghHcR8m3v//rsBpo0wlxJV5omAjUJY whMSWDP5YMQ0ary8DOu3+KXuzC4j0laUvurZ2VN6MilptKyWdiDmKgRwU6Tm4+Dh OzQd9uxvkoCNAVUsT+gM7ZQQWYOprZO552gTCDQi2Q+rgu/StxHmHxVp6Kb19VVn 5Ed4lcjIbnDH5cxhcK680GZw0XrcFDN4NPBBvIdWg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=FnOxvC GUSBnCc/nKEtHqqlackzV7BjgauDUp/xxxfuM=; b=iZdiwFq9CtzvK2blTe5Gf9 UlJLNqeW9qs/8quKLY4DUeqfApL9VwK5JMDMfCRrL+NipbGj9fs3iaQ3HEfgUe+E rzJyXseBjKnG/Ktl0v05s56y7lAWjVgE5L1fI6mQSKQ1beSLdxU7Sdn/qeIKwTHh 61tyq50kB4KNLc5I/wmcVfS2Eg8cU0SiSEWmc7ICcSXgRiPS907k36mbgjUA6lM0 0Brhyk1hwPg073PdZEpZl8LqJoiugTDRxL25ZjwMaAddsRA03nUO1MApy/Jz94gP vjQYY/9VUtLAWoKeIqQtv+YtX6jiPCsd4SIRqDKi1iI/TG063Ntir9JErxlpBykg ==
X-ME-Sender: <xms:77P6WjLnCLLmCtcox5CJxrOVFy_5XISl2N3TQEsGQlLjuTAPLUCT3A>
Received: from [192.168.1.25] (unknown [144.136.175.28]) by mail.messagingengine.com (Postfix) with ESMTPA id AB10610256; Tue, 15 May 2018 06:18:21 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <6b617854-7b71-732f-fb2c-ded248399cb8@gmx.de>
Date: Tue, 15 May 2018 20:18:18 +1000
Cc: Willy Tarreau <w@1wt.eu>, Kazuho Oku <kazuhooku@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <10FCC5C3-A36C-44DE-A63A-F13AA4928334@mnot.net>
References: <53AB69B7-9BC9-4522-B824-05365AC7F288@mnot.net> <7569d419-7acd-db65-214f-17bdb562f71a@gmx.de> <20180514053643.GA23057@1wt.eu> <6B2BCC43-9ECB-45E9-97B5-8B7C347D0A45@mnot.net> <CABkgnnX8c1=sOpCx2uzoPJHSHQg2O58ZE57rVhW426G0x3MTGg@mail.gmail.com> <DC5ED7A8-9424-4405-BF03-C8BB2252D455@mnot.net> <CANatvzzQDF4M06CXeHusywTsWK66YO4R1bHH1f6bHeiqJCTsdQ@mail.gmail.com> <3BA995E0-DF9E-418C-8AB3-ABE4290E76BA@mnot.net> <20180515061151.GA23784@1wt.eu> <6AD5563C-D587-48FC-8FE5-9A3A79FCE83F@mnot.net> <20180515093446.GB23881@1wt.eu> <701B138F-38B2-4EF4-8E9A-8155566D5463@mnot.net> <6b617854-7b71-732f-fb2c-ded248399cb8@gmx.de>
To: "Julian F. Reschke" <julian.reschke@gmx.de>
X-Mailer: Apple Mail (2.3445.6.18)
X-W3C-Hub-Spam-Status: No, score=-6.8
X-W3C-Hub-Spam-Report: AWL=2.884, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1fIX2a-0007op-Ci 2e7178abe518f7fc11916f617a8b1cc9
X-Original-To: ietf-http-wg@w3.org
Subject: Re: draft-ietf-httpbis-replay-03, "5.1. The Early-Data Header Field"
Archived-At: <https://www.w3.org/mid/10FCC5C3-A36C-44DE-A63A-F13AA4928334@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/35403
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>


> On 15 May 2018, at 8:06 pm, Julian Reschke <julian.reschke@gmx.de> wrote:
> 
> On 2018-05-15 11:46, Mark Nottingham wrote:
>>> But we're back to the problem Julian raised which is :
>>> 
>>>    When Structured Headers parsing fails, the header is discarded
>>> 
>>> Booleans are different from integers. Booleans indicate a status. Eg:
>>> "safe" vs "unsafe". Discarding the "unsafe" status because we failed to
>>> parse it is dangerous.
>>> 
>>> Actually I'm starting to think that the rule
>>> consisting in silently discarding a header field that fails to parse is
>>> the problem here. Normally we're supposed to return "400 bad req" on
>>> parsing errors, and I fear we're becoming too lenient on parsing and
>>> introduce a new class of problems.
>> 400 is for HTTP-level parsing issues; e.g., message delimitation -- at least from generic HTTP implementations. Not being able to parse an extension header is a totally different thing.
> 
> 400 is for anything caused by the client, and not covered by a more specific 4xx code.

Yes, but its use is not required upon any error by the client.

> It might make sense to define a new 4xx code to cover the case of a syntax error in a request header field value.

Do we have examples of extension headers needing / doing this? 

None of the ones in recent memory do (e.g., Access-Control-Allow-*, Accept-Patch, Accept-Post, ALPN, Alt-Used, Cookie (bis), HTTP2-Settings, Origin, Prefer).

That's not to say that we'll never encounter another header that justifies a hard error reflected in a status code, just that it doesn't seem common, so we might be optimising (well, specifying) prematurely here.

I would say we could define a "SH-Errors-Encountered" header to stick onto a 400, but I think that creates a more complex, coupled protocol than we want here (YMMV), and it would encourage header authors to generate that 400, rather than having safe defaults -- which is I think the pattern we want them to be following.

Cheers,


--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email