Re: Structured request headers deployment issues

Julian Reschke <julian.reschke@gmx.de> Thu, 18 June 2020 11:00 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02A443A0AE1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Jun 2020 04:00:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.649
X-Spam-Level:
X-Spam-Status: No, score=-2.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ax8MefWO3d8w for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Jun 2020 04:00:45 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4A673A0ADF for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 18 Jun 2020 04:00:45 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jlsGa-0001of-PU for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Jun 2020 10:59:33 +0000
Resent-Date: Thu, 18 Jun 2020 10:59:32 +0000
Resent-Message-Id: <E1jlsGa-0001of-PU@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <julian.reschke@gmx.de>) id 1jlsGZ-0001nu-AZ for ietf-http-wg@listhub.w3.org; Thu, 18 Jun 2020 10:59:31 +0000
Received: from mout.gmx.net ([212.227.17.21]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <julian.reschke@gmx.de>) id 1jlsGX-0000XV-Ek for ietf-http-wg@w3.org; Thu, 18 Jun 2020 10:59:31 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1592477948; bh=BNDJ4qguQkXoTQz837lePpNlFLIqJqnoXto4z8yWx2A=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=W/EaJvC71/YFpmAXvxWq61qw6s3kgpMr9HSpleRuUlkdJeCm+dzlavaOnNnyQcB4k zvSgtBoZTa5PccGofWECMp7zyN77wHW87eX7GZ/m22NW/XDRNsds2fby6zc3f1yYrQ mULSTX6pzcL5bkQEBMTlNowVciRYMZMVGnrqdXiM=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.1.220] ([217.91.35.233]) by mail.gmx.com (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Mi2O1-1jGxLx20q9-00e7wT; Thu, 18 Jun 2020 12:59:08 +0200
To: Yoav Weiss <yoav@yoav.ws>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Cc: Mark Nottingham <mnot@mnot.net>, Tommy Pauly <tpauly@apple.com>, Ilya Grigorik <igrigorik@gmail.com>, Mike West <mkwst@google.com>
References: <CACj=BEiT7GnKeS_2wFK8jL0jUFtFYoX-wvXnSsPO4nYJ5P=2bQ@mail.gmail.com>
From: Julian Reschke <julian.reschke@gmx.de>
Message-ID: <65202eea-3f19-ba6b-50e9-6cd73d87bbea@gmx.de>
Date: Thu, 18 Jun 2020 12:59:07 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <CACj=BEiT7GnKeS_2wFK8jL0jUFtFYoX-wvXnSsPO4nYJ5P=2bQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:WACZxTxmJ8Fq7zRHxT9qRoZdqFjLkWXZIUromgkVPTjEzZwq4Nv PlDRL6a8UMFoS411uLFKTgFUOvlBa/TfcQaN+KJxaNxmv9XrlfoWDSU+bRiIo+XATRjkBel CJ/yJzWin/KwfsHAf6Jworaoma0bI7pY43/+x+yDKzpbfLiEO8btcpt3u8ianf3jLEyWzmU pupABao1r0ZYXcfxTLOcA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:SY8bSG5m0Sg=:JEgrYzuKFdBl/Tyhu1vv+N xbZk6x1kQm0E2K5kYL2XuN5ATEiiWA3hKejdvd4KC8XAl/lAFkRFXOsFc4UxWEVS2G7tvYU5R 0LqaE0H3shjK0E5XMJX7lLKkCxWi2xOqcFOmXWXpX32Gp1iBqlADpeIC97szeoyjmgBqqhdbk ZcoJP5bozLWKFCQYLUiiJfJ8HaezJ1BvvN65beceV4g/HkAMjYD55S5rGOHjkpTbkI30vQsEb H3v+1De9l6QELNfy43AjU9OMImsbIeYOl5d1BgozcgU1NJAoAzoaaZWU4iF0pWkFqXAsjkOwS jqPAe2S0l4g8a6NeMCWgQwHozhkWupwClJACbj8r+ccCYTOidvChodwAEocOTgJpogNmpM98x X4X9zg0BZnEWwcjhVUWrh/qfumyXRWysdD33c99CFTIs1ZY2DEf+BB3qZ3G+fpcwXNo38dsup kyVMJq5g2DG05OlYKAcidMKxO5GUF2NjPY/2mwp/hwI7Q5itOLKGA/0JN+97TzNM9tw0AxQtW er9sGYUKg4SNziQVE69bVln7vbyfM1G1ZHcsNU6QEPFNlci2M7fdX3nhgxqjntyzm7II/aDz5 KPnryahtvQF+9+tCK3C0fYT66K2qbL9taX0qrv1Xg3oIWUEliS/nbd2cuhfHq7SGyx1qe/s2O pvuy8JBHU0oadDmi0Y0s+EL/fnPtVkluD9bGuHVnXmyY3iUTCsnOiraTnPd9wCRcwYqJrvJLk 056PxCZ4d6WwNDjpXxaVs2rk3aLTMMnU03SEjtNChchKH30jTLXvdWjnwebB4HRDcBaIeei1O 0Q+o4JdpLi37JWxbeW2Cjo92q8DhjEEPhbyHwav3QIZz3BewSjfJwIMmfRat8j6WVJvPdb5yp Xn+8TVz/VfqomCxZEOBdK0qbIS7vbXidvOUa+5nDU++hT/oIeLtJIemnMvb1Cynq7U5yLhrs4 6mzbd0RDrLL2RO0mf3OweIxTFUcXxGFoIeRttYpVpEfjohVoyQw5mvtkYgWtEKiYmg3b+U/2J vPbgbTa+AIylBKlCDWHeMvj4oM6pnePxb2SSWN0BxmML1ohwTMeM+O/OkqmV39fdw+c5oc70I bz6lVSaV4CvO4gcHvHHaMY4lvF0o+Mi7opsNcbRFB5MUduF7PQBmXqZlRD7ODx9IX7tyfI22S tEqSdrStZr7P8hz3LVMjIQwSN88hBKgx1pMrpCzUoIi8I4xHWrZn7pH9+fuIhywj+qwDJOjV3 ppb7YLg8dvKKQMQXW
Received-SPF: pass client-ip=212.227.17.21; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-5.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jlsGX-0000XV-Ek 44efea23f80d9c9587a42a944de034ac
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Structured request headers deployment issues
Archived-At: <https://www.w3.org/mid/65202eea-3f19-ba6b-50e9-6cd73d87bbea@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37790
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 16.06.2020 00:15, Yoav Weiss wrote:
> Hey all,
>
> Chromium M84 (which Chrome equivalent is now in Beta) has User-Agent
> Client Hints enabled by default, which is using Structured Headers.
>
> As a result of that, we found multiple sites
> <https://bugs.chromium.org/p/chromium/issues/detail?id=1091285> which
> seem to have a somewhat allergic reaction to the presence of certain
> characters (that are part of the SH format) in request values.
> While each site in question is different (in what appears to be coming
> from different stacks), we've seen sites that reject requests with
> quotes, question marks or equals signs in them.
> It's still early, so it's hard to know how widespread the issue is, but
> we seem to be adding sites to the list at a faster pace than the pace of
> removing fixed ones from it.
>
> So, I wanted to give this group a heads-up on that front, and maybe get
> folks' opinions regarding possible things we could do on that front,
> other than outreach and waiting for said sites to fix themselves.
> ...

Thanks for the heads up.

It would be a really bad outcome if that meant that we can't define new
request header fields using certain delimiters in their values.

That said, the latest change on the ticket appears to be from Monday, so
maybe the situation is not as bad as you feared?

Best regards, Julian