Structured request headers deployment issues
Yoav Weiss <yoav@yoav.ws> Mon, 15 June 2020 22:19 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B05C3A0E9C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 15 Jun 2020 15:19:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.648
X-Spam-Level:
X-Spam-Status: No, score=-2.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yoav-ws.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U8PFCHlOA8-m for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 15 Jun 2020 15:18:59 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72F2F3A0E9B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 15 Jun 2020 15:18:58 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jkxOJ-00014m-4j for ietf-http-wg-dist@listhub.w3.org; Mon, 15 Jun 2020 22:15:43 +0000
Resent-Date: Mon, 15 Jun 2020 22:15:43 +0000
Resent-Message-Id: <E1jkxOJ-00014m-4j@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <yoav@yoav.ws>) id 1jkxOE-000140-Rz for ietf-http-wg@listhub.w3.org; Mon, 15 Jun 2020 22:15:38 +0000
Received: from mail-lf1-x131.google.com ([2a00:1450:4864:20::131]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <yoav@yoav.ws>) id 1jkxOB-0001iA-15 for ietf-http-wg@w3.org; Mon, 15 Jun 2020 22:15:38 +0000
Received: by mail-lf1-x131.google.com with SMTP id d27so5939119lfq.5 for <ietf-http-wg@w3.org>; Mon, 15 Jun 2020 15:15:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yoav-ws.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=j00wCmBTdXOoXtNGE/lNQd5eOyfUgzuC1BfNg1JgOcU=; b=DjQsNe4BWwoZxY+Sh9Z3fqla5M+0AxLo6BAnr7UeBltAxHVdEuJHTwfBXFtJU97giE 43pj1p2Yz3H65y/pjVzeRgEkfH0oSMC9/u4psZ1OxikSv9ex5JYueSaZojwUPDeBtoUj nxyba3cV0fC2dI1MsZPlqSRWW+Wa9L5M3kGXeQuvliM32i0fsolY4AtaHwVGIiGD0aVZ 6k9rZ8LQZ4HHjzAF6wHVnysYsFP5BghWdeD4muxKhTRuMMIjgVDGw1AiBTIGcj78UJ5z E6t5rxaI2fG/y8zV99FwoKHsEbWrxm8IuP12S78gL+788vfp5y0Q9/jRUuLv+EBxo5AG QZsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=j00wCmBTdXOoXtNGE/lNQd5eOyfUgzuC1BfNg1JgOcU=; b=BN4g7gqiMwdxYpgraIm7iPEkRyJama+bCGnLTRIeVebCB0e3Ees9wvjeMfM5ueEgUI 5EdiNjf4a73VKS0cIyeRB34tWXu1ewPaRs+MPWOvqwBQX3eDQDkK4ox9qNbpuMIN+DVv eYc8OPUXxgt6uPul7AOfzuAVYD2hAEBbNURJYqj8tVj/Dyim3I2wjiC6hDUcE4cmApx3 06OyxzfJ8YnFRJ0ZpNim/LpIRhaZDnhLM9Dt62bHWv4WI4em8HD9T1L0fFJ3QernqYZv 0B2HfkWCLsom1YaUbzQmrQLLZFLlbkaji/S1YSK65B3waxhyPhuNKNh5i34KZqWvliMY ohxg==
X-Gm-Message-State: AOAM533l7tMFPRn3m3+I4PqCzStBzaFkiAkrU9vnNicNovrEgnfqo0x2 ErHBPsDMPhDpgCvhxC8mihEgxQSjXKzH2gWqVs5graoW
X-Google-Smtp-Source: ABdhPJwve77+crXEPS/TC0OutlRzpwxurYPfq54Agz9+HieOsoJXuHy+74m3x07uFK9JH4znWf4H+p3dFVJ8bOWlG/Y=
X-Received: by 2002:ac2:5f07:: with SMTP id 7mr64177lfq.132.1592259322619; Mon, 15 Jun 2020 15:15:22 -0700 (PDT)
MIME-Version: 1.0
From: Yoav Weiss <yoav@yoav.ws>
Date: Tue, 16 Jun 2020 00:15:06 +0200
Message-ID: <CACj=BEiT7GnKeS_2wFK8jL0jUFtFYoX-wvXnSsPO4nYJ5P=2bQ@mail.gmail.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Cc: Mark Nottingham <mnot@mnot.net>, Tommy Pauly <tpauly@apple.com>, Ilya Grigorik <igrigorik@gmail.com>, Mike West <mkwst@google.com>
Content-Type: multipart/alternative; boundary="00000000000050c43305a826c30c"
Received-SPF: pass client-ip=2a00:1450:4864:20::131; envelope-from=yoav@yoav.ws; helo=mail-lf1-x131.google.com
X-W3C-Hub-Spam-Status: No, score=-8.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jkxOB-0001iA-15 64b77f17c53ea5686777f00b25afc2fb
X-Original-To: ietf-http-wg@w3.org
Subject: Structured request headers deployment issues
Archived-At: <https://www.w3.org/mid/CACj=BEiT7GnKeS_2wFK8jL0jUFtFYoX-wvXnSsPO4nYJ5P=2bQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37769
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hey all, Chromium M84 (which Chrome equivalent is now in Beta) has User-Agent Client Hints enabled by default, which is using Structured Headers. As a result of that, we found multiple sites <https://bugs.chromium.org/p/chromium/issues/detail?id=1091285> which seem to have a somewhat allergic reaction to the presence of certain characters (that are part of the SH format) in request values. While each site in question is different (in what appears to be coming from different stacks), we've seen sites that reject requests with quotes, question marks or equals signs in them. It's still early, so it's hard to know how widespread the issue is, but we seem to be adding sites to the list at a faster pace than the pace of removing fixed ones from it. So, I wanted to give this group a heads-up on that front, and maybe get folks' opinions regarding possible things we could do on that front, other than outreach and waiting for said sites to fix themselves. Cheers, Yoav
- Structured request headers deployment issues Yoav Weiss
- Re: Structured request headers deployment issues Julian Reschke
- Re: Structured request headers deployment issues Yoav Weiss
- Re: Structured request headers deployment issues Mark Nottingham
- Re: Structured request headers deployment issues Mike West
- Re: Structured request headers deployment issues Yoav Weiss
- Re: Structured request headers deployment issues Yoav Weiss
- Re: Structured request headers deployment issues Mark Nottingham
- Re: Structured request headers deployment issues Mike West