Re: ORIGIN - suggested changes

Mark Nottingham <mnot@mnot.net> Sat, 04 February 2017 00:53 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B31851293E9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Feb 2017 16:53:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.119
X-Spam-Level:
X-Spam-Status: No, score=-10.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQ5fxICVePjs for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Feb 2017 16:53:27 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3F0A126BF6 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 3 Feb 2017 16:53:26 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cZoYR-0005Za-Kh for ietf-http-wg-dist@listhub.w3.org; Sat, 04 Feb 2017 00:50:15 +0000
Resent-Date: Sat, 04 Feb 2017 00:50:15 +0000
Resent-Message-Id: <E1cZoYR-0005Za-Kh@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1cZoYM-0005G1-4C for ietf-http-wg@listhub.w3.org; Sat, 04 Feb 2017 00:50:10 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <mnot@mnot.net>) id 1cZoYF-0007sq-GJ for ietf-http-wg@w3.org; Sat, 04 Feb 2017 00:50:04 +0000
Received: from [192.168.3.104] (unknown [124.189.98.244]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id A774622E1F3; Fri, 3 Feb 2017 19:49:39 -0500 (EST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <933D3A82-615A-4C75-8F3D-8298E8C6969E@greenbytes.de>
Date: Sat, 4 Feb 2017 11:49:35 +1100
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Martin Thomson <martin.thomson@gmail.com>, "Nygren, Erik" <nygren@akamai.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4E2307AE-721B-4F4F-9B72-5E661273C704@mnot.net>
References: <C3CCA267-F5B5-4827-AC27-9853BDADACDE@mnot.net> <CABkgnnWaN6Kaq28=a+At_YQcZmG_o0-VRMAWBABzdLz-RBxxPA@mail.gmail.com> <5D2EB826-204B-44FC-AB42-B0BBECF9AE62@mnot.net> <CABkgnnX26M2P1Kp-PxPDzREZGp0nGfuJubgTqrs9Hr7n8ttqdA@mail.gmail.com> <373E9285-B023-4D42-A749-368649E34252@mnot.net> <2DAB7A8F-2614-4448-8DA9-6967E6E3BD06@mnot.net> <933D3A82-615A-4C75-8F3D-8298E8C6969E@greenbytes.de>
To: Stefan Eissing <stefan.eissing@greenbytes.de>
X-Mailer: Apple Mail (2.3259)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-7.3
X-W3C-Hub-Spam-Report: AWL=2.349, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1cZoYF-0007sq-GJ 93203900fe1bee0fa1ee9c3ae2392c5d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: ORIGIN - suggested changes
Archived-At: <http://www.w3.org/mid/4E2307AE-721B-4F4F-9B72-5E661273C704@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33438
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hey Stefan,

> On 4 Feb 2017, at 12:22 am, Stefan Eissing <stefan.eissing@greenbytes.de> wrote:
> 
> Looks good to me.
> 
> *But* I think I would be good to have an ORIGIN frame that says: please revert your ORIGIN set back to undefined for this connection (and erase all 421 derived information).
> 
> This should be less complex than individual removes and provide for changes on very long lived connections.

I hear what you're saying, but so far the strongest blocker for this spec has been complexity, so I'd like to hear what others (especially implementers on the client side, where most of the work is) think. 




> 
> -Stefan
> 
>> Am 03.02.2017 um 01:43 schrieb Mark Nottingham <mnot@mnot.net>et>:
>> 
>> I've done some more updating:
>> https://github.com/httpwg/http-extensions/pull/285
>> 
>> At this point, the diff isn't too helpful, so see attached.
>> 
>> Changes include:
>> 
>> 1. Removing set manipulation flags
>> 2. Reserving some flags for future backwards-incompatible extensions (which makes me feel a bit better about #1)
>> 3. Note impact upon Server Push
>> 4. Added IANA Considerations and Operational Considerations
>> 5. Lots of clarifications
>> 
>> Feedback welcome, as always.
>> 
>> 
>> <draft-ietf-httpbis-origin-frame.html>
>> 
>> 
>>> On 2 Feb 2017, at 12:30 pm, Mark Nottingham <mnot@mnot.net> wrote:
>>> 
>>> 
>>>> On 2 Feb 2017, at 12:23 pm, Martin Thomson <martin.thomson@gmail.com> wrote:
>>>> 
>>>> On 2 February 2017 at 10:12, Mark Nottingham <mnot@mnot.net> wrote:
>>>>> I don't buy the argument that removal itself adds complexity. Implementations already need to remember what origins they received a 421 for, so they already have the concept of origin set removal.
>>>> 
>>>> Well, you just established why it might be unnecessary.  The gain here
>>>> is in the client not sending a request to the wrong place.  But if
>>>> this is rare enough, then that cost is probably bearable.
>>> 
>>> Right, but the whole point of ORIGIN is to avoid those situations. 
>>> 
>>> 
>>>> The "everything except those" case doesn't concern me that much.
>>>> Iknow it's relatively common, but it is fairly rare that the set of
>>>> origins that are used is not easily enumerable, or incrementally
>>>> discoverable.
>>> 
>>> Spoken like a true browser vendor :) 
>>> 
>>> It'd be good to get a bit more data here from server-side folks. Anyone share this concern? I note that Nick seems to be OK with it.
>>> 
>>> Cheers,
>>> 
>>> --
>>> Mark Nottingham   https://www.mnot.net/
>>> 
>>> 
>> 
>> --
>> Mark Nottingham   https://www.mnot.net/
>> 
> 
> Stefan Eissing
> 
> <green/>bytes GmbH
> Hafenstrasse 16
> 48155 M√ľnster
> www.greenbytes.de
> 
> 

--
Mark Nottingham   https://www.mnot.net/