Re: WGLC: p1 MUSTs

"Roy T. Fielding" <fielding@gbiv.com> Thu, 01 August 2013 10:47 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A234521F9EC3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 1 Aug 2013 03:47:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.066
X-Spam-Level:
X-Spam-Status: No, score=-10.066 tagged_above=-999 required=5 tests=[AWL=-0.067, BAYES_00=-2.599, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4+9-BoL-zwW for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 1 Aug 2013 03:47:40 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 58FBB21F9263 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 1 Aug 2013 03:47:37 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1V4qOb-0003ks-Rn for ietf-http-wg-dist@listhub.w3.org; Thu, 01 Aug 2013 10:46:13 +0000
Resent-Date: Thu, 01 Aug 2013 10:46:13 +0000
Resent-Message-Id: <E1V4qOb-0003ks-Rn@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <fielding@gbiv.com>) id 1V4qOR-0003je-70 for ietf-http-wg@listhub.w3.org; Thu, 01 Aug 2013 10:46:03 +0000
Received: from caiajhbdcbef.dreamhost.com ([208.97.132.145] helo=homiemail-a95.g.dreamhost.com) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <fielding@gbiv.com>) id 1V4qOP-0000nr-Ol for ietf-http-wg@w3.org; Thu, 01 Aug 2013 10:46:03 +0000
Received: from homiemail-a95.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTP id 5C9131E05D; Thu, 1 Aug 2013 03:45:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gbiv.com; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=gbiv.com; bh=oQOSMVVzL3KmGhGD0mA2NiAw/Ok=; b=gUS3ecbde5Qze/Tnjcy9/xzT3wOl t3ZxFEzkEokwrdiSIfnLC+h1sw/vaD1200XHb/dKfF2wAAEDrl9dRYSoRodvvZu9 7lKZt3pLn7PHItWyzprTIg3zC9TUvTQPH66K9JcRbhD6lgscFzdk/mrB7RgXT/t5 aG2xSVoLhUnFNi8=
Received: from [192.168.1.84] (99-21-208-82.lightspeed.irvnca.sbcglobal.net [99.21.208.82]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: fielding@gbiv.com) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTPSA id 3EA501E05C; Thu, 1 Aug 2013 03:45:40 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset=iso-8859-1
From: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <5180137E.2040603@measurement-factory.com>
Date: Thu, 1 Aug 2013 03:45:38 -0700
Cc: IETF HTTP WG <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <62E8B892-7AD7-4A21-A8E2-74C892C8860F@gbiv.com>
References: <D69329FD-7456-46C5-BE24-6E7EE7E48C39@mnot.net> <5180137E.2040603@measurement-factory.com>
To: Alex Rousskov <rousskov@measurement-factory.com>
X-Mailer: Apple Mail (2.1283)
Received-SPF: none client-ip=208.97.132.145; envelope-from=fielding@gbiv.com; helo=homiemail-a95.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.438, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: maggie.w3.org 1V4qOP-0000nr-Ol 29fa6ccca1c59e1153669183a009817e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: WGLC: p1 MUSTs
Archived-At: <http://www.w3.org/mid/62E8B892-7AD7-4A21-A8E2-74C892C8860F@gbiv.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/19028
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Continuing on #484 ...

On Apr 30, 2013, at 11:54 AM, Alex Rousskov wrote:

>> Senders MUST exclude the userinfo subcomponent (and its "@"
>> delimiter) when an "http" URI is transmitted within a message as a
>> request target or header field value.
> 
> The above MUST should not apply to proxies, right? Policing forwarded
> URLs will break applications and policing forwarded extension header
> fields is not possible at all and would violate the "MUST forward" rule.
> How about "senders MUST NOT generate"?

Right, fixed.

>> A server MUST be prepared to receive URIs of unbounded length

> This MUST may be demoted to "ought" because "be prepared" is too vague
> (but see below for a related missing MUST).

Fixed.

>> A server MUST be prepared to receive URIs of unbounded length and
>> respond with the 414
> 
> Please insert a second MUST after "and": "and MUST respond".

Fixed.

>> Multiple header fields with the same field name can be combined into
>> one "field-name: field-value" pair
> 
> Should this be a MAY as in "The recipient MAY combine multiple ...". As
> worded now, it is not clear whether a proxy is allowed to combine
> headers when forwarding them. Note that this affects extension and other
> headers that a proxy may not understand (but may still want to combine
> if allowed to do so).

Fixed.

> A server MUST be prepared to receive request header fields of
>> unbounded length and respond
> 
> Consider removing the above MUST but please add MUST after "and": A
> server ought to be prepared to receive ... and MUST respond ...
> See above for discussion of a similar MUST that applies to URIs of
> unbounded length.

Fixed.

>> A client MUST be prepared to receive response header fields of unbounded length.
> 
> Same here, except no new MUST is needed.

Fixed.

>> If chunked is applied to a payload body, the sender MUST NOT apply
>> chunked more than once
> 
> The precondition is bogus: If chunked is NOT [yet?] applied to a payload
> body, the sender still MUST NOT apply chunked more than once!

Fixed.

>> the sender MUST NOT apply chunked more than once
> 
> This needs to be rephrased to make it clear that proxies are not
> responsible for dechunking multiple chunked encodings to make the
> forwarded message comply with this MUST. For example, we could say: "the
> sender MUST NOT generate messages with multiple chunked encodings".
> 
> Please note that both the proposed "multiple chunked encodings" and the
> existing "more than once" wordings imply that foo,chunked,bar,chunked
> combination is also not allowed.

Both are intentional.  A proxy is required to fix framing problems
in received messages (or reject them without forwarding).  Such
messages might be crafted to bypass security filters.

>> A server MUST send an empty trailer with the chunked transfer coding
>> unless at least one of the following is true:
> 
> This should be relaxed to "A server MUST generate ..." because a proxy,
> in general, does not know whether bullet #2 ("the trailer fields consist
> entirely of optional metadata...") is true. Even though chunking is a
> hop-by-hop mechanism, proxies ought to forward Trailers whenever
> possible, right?

Fixed.

>> a client MUST send only the absolute path and query components of the
>> target URI as the request-target
> 
>> To allow for transition to the absolute-form for all requests in some
>> future version of HTTP, HTTP/1.1 servers MUST accept the
>> absolute-form in requests
> 
> Should the first "MUST send" be relaxed to "MUST generate" so that the
> proxies do not block the apparently anticipated "transition to the
> absolute-form for all requests" by stripping URIs as they forward them?

No, since then such proxies won't interoperate with older servers.
I wish we could just delete the second requirement, since it has
been proven to be unreliable in practice and wouldn't be reliable
for any HTTP/1.x (it isn't needed for support of HTTP/2).

>> In order to avoid request loops, a proxy that forwards requests to 
>> other proxies MUST be able to recognize and exclude all of its own
>> server names
> 
> Several intermingled issues here:
> 
> 1) The "other proxies" prerequisite is a red herring IMO. Any proxy
> should avoid request loops. If a proxy that is not configured to forward
> request to other proxies sends an "origin server" request to itself,
> such a request may still create a loop.

Well, if it sends an origin server request to itself, then as
the recipient it takes on the role of an origin server or gateway,
not a proxy, and the requirement (as stated) no longer applies ...

> I think the following would be
> better: "In order to avoid request loops, a proxy MUST ..."

Since this section is about forwarding, I have changed it to

   An intermediary MUST NOT forward a message to itself unless it is
   protected from an infinite request loop. In general, an intermediary ought
   to recognize its own server names, including any aliases, local variations,
   or literal IP addresses, and respond to such requests directly.

> 2) If we want the proxy to recognize and exclude, let's demand that
> instead of just demanding that the proxy is able to do that (but
> possibly does not do it): "a proxy ... MUST recognize and exclude ...".

Fixed.

> 3) This MUST may benefit from some polishing to clarify what "exclude"
> means. I think it means "reject" in this context.

Not necessarily.

> 4) The "recognize" part can be dropped because recognition is implied by
> the "exclude" requirement.
> 
> At the end, we may arrive at something like this:
> 
> "In order to avoid request loops, a proxy MUST reject requests for
> itself, including requests where the server address is formed using a
> proxy domain name, its aliases, local variations, or literal IP addresses."

It can handle the requests itself.  I have rephrased it.

>> A client that does not support persistent connections MUST send the
>> "close" connection option in every request message.
> 
> Including a CONNECT request message?

Yes (they are orthogonal).

> A client that pipelines requests MUST be prepared to retry those requests
> 
> MUST be prepared to retry but does not have to retry? Or MUST retry?

Changed to "SHOULD retry unanswered requests".

> A client that pipelines requests MUST be prepared to retry those
>> requests if the connection closes before it receives all of the
>> corresponding responses.
> 
> Please clarify that the client MUST retry unanswered requests and not
> all "those requests" it pipelined.

Fixed.

> MUST NOT pipeline on a retry connection until it knows the connection
>> is persistent.
> 
> Is it really possible to know that a connection _is_ persistent?

Fixed, and rephrased to note that it is due to the TCP reset problem.

...

> And here is a list of MUST-level requirements that are missing an
> explicit actor on which the requirement is placed. Most of these should
> be easy to rephrase to place the requirement on the intended actor
> (e.g., "A proxy MUST" instead of "header field MUST":
> 
>> An unrecognized header field received by a proxy MUST be forwarded
>> downstream

Fixed (and then removed as it was a redundant copy).

>> The host MUST NOT be empty; if an "http" URI is received with an
>> empty host, then it MUST be rejected as invalid.

Fixed.

>> the TCP connection MUST be secured,

Fixed.

>> These special characters MUST be in a quoted string

Removed as it was redundant to ABNF.

>> the message framing is invalid and MUST be treated as an error

Fixed.

>> a response message received by a user agent, it MUST be treated as an
>> error

Fixed.

>> The trailer MUST NOT contain fields

Fixed.

>> the Host field-value MUST be identical

Fixed.

>> the Host header field MUST be sent with an empty field-value.

Fixed.

>> The "Via" header field MUST be sent by a proxy

Fixed already for another ticket.

>> the connection MUST be closed after the current request/response is
>> complete

Removed as redundant.

>> all messages on a connection MUST have a self-defined message length

Changed to "need to".

>> the first action after changing the protocol MUST be a response

Rephrased.


> Please be careful with "send" and "generate" when fixing the above
> actorless rules so that the proxies do not accidentally become
> responsible for policing traffic where unnecessary.
> 
> Thank you,
> 
> Alex.

Committed in

  http://trac.tools.ietf.org/wg/httpbis/trac/changeset/2334

Thanks for the detailed review,

....Roy