IETF Logo Mail Archive

Re: Issue #356: Form-encode Expect-CT report bodies?

Patrick McManus <mcmanus@ducksong.com> Sat, 10 June 2017 09:23 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B5CD124D37 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 10 Jun 2017 02:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.401
X-Spam-Level:
X-Spam-Status: No, score=-6.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sendgrid.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zm6X8lVuPPIo for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 10 Jun 2017 02:23:09 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCC2D1201F2 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 10 Jun 2017 02:23:09 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.84_2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1dJcZU-0007X7-QY for ietf-http-wg-dist@listhub.w3.org; Sat, 10 Jun 2017 09:20:40 +0000
Resent-Date: Sat, 10 Jun 2017 09:20:40 +0000
Resent-Message-Id: <E1dJcZU-0007X7-QY@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net>) id 1dJcZL-0007WF-Tg for ietf-http-wg@listhub.w3.org; Sat, 10 Jun 2017 09:20:31 +0000
Received: from o1682455182.outbound-mail.sendgrid.net ([168.245.5.182]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net>) id 1dJcZE-0006IW-VC for ietf-http-wg@w3.org; Sat, 10 Jun 2017 09:20:26 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.me; h=mime-version:in-reply-to:references:from:subject:to:cc:content-type; s=smtpapi; bh=UGuaHH64Eyej7co5pv0Vqzvldug=; b=cH73pj+EhwCUHdBQ4W xBWGtNDIEbGUt56mQfTLqHCSY7zkQJwVMZkOdic1YNONKXgH5Vhtkxnl0abLpspi MgJQwWur+XmPQ/ofVzMaNdhJo3Wvw+oTawH9vV44eVpf8ISfeSe2V7P0gR8Gjct7 /lRhCa38Vz1DXGo/rMNEnR3gE=
Received: by filter0841p1mdw1.sendgrid.net with SMTP id filter0841p1mdw1-17392-593BB9A5-32 2017-06-10 09:19:33.481011437 +0000 UTC
Received: from mail-qk0-f174.google.com (mail-qk0-f174.google.com [209.85.220.174]) by ismtpd0004p1iad1.sendgrid.net (SG) with ESMTP id UI_LNvcZQ9C-vXqlM_MRFg for <ietf-http-wg@w3.org>; Sat, 10 Jun 2017 09:19:33.474 +0000 (UTC)
Received: by mail-qk0-f174.google.com with SMTP id d14so12629760qkb.1 for <ietf-http-wg@w3.org>; Sat, 10 Jun 2017 02:19:33 -0700 (PDT)
X-Gm-Message-State: AKS2vOwTj8Yo8Qw9X+73libctUTtHc7aMAIMyVXLTHIEnoD3RCIkyAWM 4Kh9mQbjGtjm67pDAIPO7z2nM+kNVg==
X-Received: by 10.55.55.207 with SMTP id e198mr57634802qka.44.1497086373101; Sat, 10 Jun 2017 02:19:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.182.87 with HTTP; Sat, 10 Jun 2017 02:19:32 -0700 (PDT)
In-Reply-To: <CABkgnnVBNHUoSHud88PJGNziA3BMRU7Sd5jhkqVtKfdrGxJHZQ@mail.gmail.com>
References: <CAPP_2Sa+6eSAChgp8KrzabPJUkMmiKBhWp1dFhS0zOVnXrenLw@mail.gmail.com> <CAOdDvNoStrOu=SSZJrKMsQFjG2YVtiLqMdvXP_1PKJ_a+58Mfw@mail.gmail.com> <CABkgnnUVYB1Dqh4efe25bKx=-2iOBXHZg=3fgXjvbRn28b6nuw@mail.gmail.com> <CAOdDvNqquZymrmE3i3DFfdgVUuq-iWxr0+jvO3AF0NymnJK9Zg@mail.gmail.com> <CAPP_2SYNkReoDOjRKdEWtrP=ZGhPO2mKCoQm9Pm7LjcNLyoC+Q@mail.gmail.com> <CAPP_2SYLpKBo-rWV4oMG7V3FeN4aZ7fZEOdFgwFC8ASmFKmvqA@mail.gmail.com> <CABkgnnWU09-kV8gAu6xZV7n-rvrmL6R98EzA7O7nxTjBMFntpQ@mail.gmail.com> <CAPP_2Sa7b3XTgFE0VcF7-ffxYMOuhR8vHTROL88RDus4foP8CA@mail.gmail.com> <CABkgnnU-c4FbBNGz4V-jpO-Rwc5Evy7DFzmBdsT0xkZFv+Drxg@mail.gmail.com> <CAPP_2SY8h-ymtTubY0GMLqWctP4MXXu9nSiUU228gJ5drzZZQg@mail.gmail.com> <CABkgnnXEUdZ9M=911wGcNVqL+=qpwfvnE+3rNu1g3ApepyCKFA@mail.gmail.com> <CAPP_2SYJGXqLOh_E56Aou5RgO2mLNzUYWVZHmwu9_vN2MsV9XA@mail.gmail.com> <CABkgnnVBNHUoSHud88PJGNziA3BMRU7Sd5jhkqVtKfdrGxJHZQ@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Sat, 10 Jun 2017 11:19:32 +0200
X-Gmail-Original-Message-ID: <CAOdDvNobhQ16V4AqRVQk0RMA76t6H5qzwgpt9SWckSxpS4iirg@mail.gmail.com>
Message-ID: <CAOdDvNobhQ16V4AqRVQk0RMA76t6H5qzwgpt9SWckSxpS4iirg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Emily Stark <estark@google.com>, Patrick McManus <mcmanus@ducksong.com>, httpbis <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@annevk.nl>
Content-Type: multipart/alternative; boundary="001a1146edec7787c8055197953c"
X-SG-EID: YLWet4rakcOTMHWvPPwWbcsiUJbN1FCn0PHYd/Uujh5pLHAhPNEBhJKX8CDfAXNJmEdWqD6w5nlEOp hX14J8P8gayo9rXiNtiVo1RyYlznuzcY8gCpI8FqXqo/FdygX5irmFSNZ2Cr44qHS1YXvRJ3PohT1J Ea7R5vawk+GClO5twHpQQOoXrOpXJU/8zmW81HMbCSuQaNZTME8DvGmq2d4o0C79LnsXGZwUrZvFqd E=
Received-SPF: pass client-ip=168.245.5.182; envelope-from=bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net; helo=o1682455182.outbound-mail.sendgrid.net
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: AWL=-1.230, BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1dJcZE-0006IW-VC fe33ba900a4b0e5f3199d59bfab73ab1
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Issue #356: Form-encode Expect-CT report bodies?
Archived-At: <http://www.w3.org/mid/CAOdDvNobhQ16V4AqRVQk0RMA76t6H5qzwgpt9SWckSxpS4iirg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33978
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

First, I think it would be good for the expect-ct spec to give reporting
servers a little non normative advice to be ready for cors and preflights.
Something complementary to the client mention now.

second, cors clearly makes some distinction between UA content and
content-content.. request headers for example. The notion being that the UA
can effectively make at least some decisions about what will botch things
up compared to what arbitrary JS might do. A whole request body formatted
by the UA, such as done by expect-ct reporting, must fall on this spectrum
somewhere (though I'm not certain where) in between. I agree with Emily
(and others in the thread cited) that not everything is subject to cors and
I'm not sure that "content controls the uri" is the sole determining factor.

But, as interesting as this discussion is, httpbis doesn't make cors
decisions. In that spirit the null origin stm the 'right way to use http'
if you can't figure out the real origin.. but text/plain (while being a
less true to the type'd nature of http) goes down the road of the "the UA
believes it has the right to declare this content safe enough to not
require cors" which also seems kinda reasonable overall if less pure http.




On Sat, Jun 10, 2017 at 10:55 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> For those who are reading this and eating popcorn, this is probably
> worth reading also... <https://github.com/whatwg/fetch/issues/530>
>
> On 9 June 2017 at 16:42, Emily Stark <estark@google.com> wrote:
> > As I said in my first message, implementing true preflights would violate
> > very core architectural principles in Chrome, and would jeopardize our
> > ability to ship an implementation. Maybe there are other implementors who
> > would like to chime in to the contrary, but as of now I'm not very
> inclined
> > to specify something that can't realistically be implemented.
>
> I wanted to poke at that a little.  Expect-CT is a header field, sent
> by a particular origin.  You store the tuple of origin, the expect CT
> mode (none, report, require), and the report URI somewhere.  Then when
> you connect to an origin you retrieve any stored tuple and compare
> what you get with what you expect.  I don't see how a stack would be
> unable to preflight at that point.  It has the information it needs
> for a preflight check.
>
> I recognize that a particular piece of software might be constructed
> in a way that makes this difficult, but it can't be impossible.
>
> Question: how do you manage the checks when you are using alternative
> services?  I expect that you need to store a target origin for the
> connection attempt, rather than using the host and port or SNI and
> port that you are connecting to.  (This doesn't complicate things
> regarding the question at hand, but I don't see any text on this
> point.)
>
>

v2.23.0 | Report a Bug | By Email