Re: #904: Content on GET requirement strength
Asbjørn Ulsberg <asbjorn@ulsberg.no> Fri, 16 July 2021 20:46 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 580D93A08A5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 16 Jul 2021 13:46:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.997
X-Spam-Level:
X-Spam-Status: No, score=-2.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ulsberg.no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zMhZhm6R7y0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 16 Jul 2021 13:46:49 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3206C3A08FC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 16 Jul 2021 13:46:48 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1m4UhG-0001SG-Ph for ietf-http-wg-dist@listhub.w3.org; Fri, 16 Jul 2021 20:44:34 +0000
Resent-Date: Fri, 16 Jul 2021 20:44:34 +0000
Resent-Message-Id: <E1m4UhG-0001SG-Ph@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <asbjorn@ulsberg.no>) id 1m4UhE-0001RT-B0 for ietf-http-wg@listhub.w3.org; Fri, 16 Jul 2021 20:44:32 +0000
Received: from mail-qv1-f54.google.com ([209.85.219.54]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <asbjorn@ulsberg.no>) id 1m4UhC-0005Pr-Bg for ietf-http-wg@w3.org; Fri, 16 Jul 2021 20:44:32 +0000
Received: by mail-qv1-f54.google.com with SMTP id i4so5226311qvq.10 for <ietf-http-wg@w3.org>; Fri, 16 Jul 2021 13:44:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ulsberg.no; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=lw7h1k7Ycb8QYtg85McIvOrjG/H3FwngT3VdhR9gDLw=; b=RXTPJJZyJgynegPgYag4YYS0pK6BchCRbQvBYkhieG27AjxxEqd0vWM+i+ofNw5TiF SIKaY6qPb9zyKoHyjFXBAasHjinaibG2xSJr5biFUigmOeLSqLkPgR5iPqIsphCMI3Cf YnVVbZjVxQCQP4O0SfFfxF1srJnwtAVx94Ox7oVOUnYMXASbZU3taAgCU8jla6k9MIsY 5L5BbzmRkCGMc9GsX6UZm9XvAx634p+McVSlpN4ul3B2xySk9MPuRxaTpLrNtMMaP7by C4/NZONR+w1SkeCLfn5hzhWp42ulb85+lUKQpcnBM/YScmoIaqUxZRnIn+DWo5SOpUIM Kq8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=lw7h1k7Ycb8QYtg85McIvOrjG/H3FwngT3VdhR9gDLw=; b=sO9RvzvmuFkylKmFp0aTmSoEkF6tZsx4jN/Yi81/xJ7SXa5f2pKtyZbRK5GquwQdwG z2AqANId91Rtfh42MUhXK7kKT7TyGnnB4a2VrV0l/Oi5Vz5OHWlJvbP06grVcVC5JA0r l/VR7G4VMVvW9st3qXyDErziF1yXME2gHsx9sSXIPHrSBu3MJeXwg+1/olEZq64ZTjfu cEHdAM1p2vtNOd4by1Q6lCXHc5ABM+4AOZvrxidysJMMv389peH1A6lLUzglpejkPY/C 6HI/FeOW4cxRchDnUqORLlJ+DzislHg9OsvpQq+9n8t3h3pqjYx7pl4/Fxfi5arRIOwV xWlA==
X-Gm-Message-State: AOAM531DI3f24ARcRFVfP6mqH7+uZYEtRTFJFgASo8eME27FcOz4Nenj I+vt24v7wyKnMaNJbDnE7FnyOf0+bz2h4Q==
X-Google-Smtp-Source: ABdhPJy+xqEA9RpJULKrZtEO3AkTuqf0lcg+6cYZjyJTZ9QlRMygrkdqdyz2EpPLcRo+mvi5LTTUPg==
X-Received: by 2002:ad4:5b86:: with SMTP id 6mr12136610qvp.17.1626468199153; Fri, 16 Jul 2021 13:43:19 -0700 (PDT)
Received: from mail-yb1-f170.google.com (mail-yb1-f170.google.com. [209.85.219.170]) by smtp.gmail.com with ESMTPSA id p10sm4351698qkp.48.2021.07.16.13.43.18 for <ietf-http-wg@w3.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 16 Jul 2021 13:43:18 -0700 (PDT)
Received: by mail-yb1-f170.google.com with SMTP id a16so16875746ybt.8 for <ietf-http-wg@w3.org>; Fri, 16 Jul 2021 13:43:18 -0700 (PDT)
X-Received: by 2002:a25:3447:: with SMTP id b68mr15606432yba.319.1626468197927; Fri, 16 Jul 2021 13:43:17 -0700 (PDT)
MIME-Version: 1.0
References: <BFB50EB9-90E2-44B0-B469-4FBFA0488BFE@mnot.net> <BLAPR22MB2259BDE901088D82A1033F45DA119@BLAPR22MB2259.namprd22.prod.outlook.com> <9D46B333-D2F1-4D1D-9BE3-D6B701167B70@tzi.org> <CAF8qwaDXjHZ6cQO5512VsDi7ZRT0wq5h3NQWuR4x67Fq_Qn9Mg@mail.gmail.com>
In-Reply-To: <CAF8qwaDXjHZ6cQO5512VsDi7ZRT0wq5h3NQWuR4x67Fq_Qn9Mg@mail.gmail.com>
From: Asbjørn Ulsberg <asbjorn@ulsberg.no>
Date: Fri, 16 Jul 2021 22:43:05 +0200
X-Gmail-Original-Message-ID: <CAEdRHi7iH060t0xhOtuiEj2vApfD5KRu=v-6LBErp+6v+z=pyQ@mail.gmail.com>
Message-ID: <CAEdRHi7iH060t0xhOtuiEj2vApfD5KRu=v-6LBErp+6v+z=pyQ@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: Carsten Bormann <cabo@tzi.org>, Mike Bishop <mbishop@evequefou.be>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=209.85.219.54; envelope-from=asbjorn@ulsberg.no; helo=mail-qv1-f54.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=asbjorn@ulsberg.no domain=ulsberg.no), signature is good
X-W3C-Hub-Spam-Status: No, score=-9.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1m4UhC-0005Pr-Bg 02825482c54d191930e1a33b56dea729
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #904: Content on GET requirement strength
Archived-At: <https://www.w3.org/mid/CAEdRHi7iH060t0xhOtuiEj2vApfD5KRu=v-6LBErp+6v+z=pyQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/39043
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
fre. 16. jul. 2021 kl. 18:40 skrev David Benjamin <davidben@chromium.org>: > Is the spec's explanation of the implications here even sufficient? In > addition to the request getting potentially rejected, might it also lead to an > actual request smuggling attack if the server doesn't reject the request but, > instead, interprets it differently? Indeed. As far as I can tell, there's also a potential security and privacy issue in having an intermediate cache reuse the response from a prior query because it (rightly) does not consider the request body to be significant when keying the cache entry. This can both lead to unauthorized access to data as well as a possible cache poisoning vector. > Given the security risk, the current text doesn't seem strong enough to me. Agreed. But I think it may be worth reflecting on why GET with a body is an issue worth discussing both here on the mailing list and in the HTTP spec itself. Enough implementations of this anti-pattern over the years have made it evident (at least to me) that there is a need for a safe HTTP method sporting a request body. The most common use case is performing complex queries where the query string either reveals too much information, causes length issues, or is just too messy. To accommodate these use cases, an I-D for a safe method with body has been initiated: https://datatracker.ietf.org/doc/draft-ietf-httpbis-safe-method-w-body/ With such a method in the implementer's toolbox, I'm pretty certain a MUST NOT requirement would be easy to swallow. However, since the I-D is still far from completion and there are no standardized alternatives to GET with body, a more elaborate explanation of potential security and privacy risks and stronger language with the current SHOULD NOT requirement seems appropriate. -- Asbjørn Ulsberg -=|=- asbjorn@ulsberg.no «He's a loathsome offensive brute, yet I can't look away»
- #904: Content on GET requirement strength Mark Nottingham
- RE: #904: Content on GET requirement strength Mike Bishop
- Re: #904: Content on GET requirement strength Carsten Bormann
- Re: #904: Content on GET requirement strength David Benjamin
- Re: #904: Content on GET requirement strength Julian Reschke
- Re: #904: Content on GET requirement strength Willy Tarreau
- Re: #904: Content on GET requirement strength Asbjørn Ulsberg
- Re: #904: Content on GET requirement strength Carsten Bormann
- Re: #904: Content on GET requirement strength Rafal Pietrak
- SEARCH Julian Reschke
- Re: SEARCH Rafal Pietrak
- Re: #904: Content on GET requirement strength Mark Nottingham
- Re: #904: Content on GET requirement strength Amos Jeffries
- Re: #904: Content on GET requirement strength Willy Tarreau