IETF Logo Mail Archive

Re: #305 Header ordering

James M Snell <jasnell@gmail.com> Fri, 22 November 2013 04:03 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EFD31ADF5A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 21 Nov 2013 20:03:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.526
X-Spam-Level:
X-Spam-Status: No, score=-6.526 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, J_BACKHAIR_33=1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.525, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e45KVTXLoZHy for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 21 Nov 2013 20:03:02 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 0DBAB1ADEC4 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 21 Nov 2013 20:03:01 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Vjhvs-0002cS-Ft for ietf-http-wg-dist@listhub.w3.org; Fri, 22 Nov 2013 04:01:28 +0000
Resent-Date: Fri, 22 Nov 2013 04:01:28 +0000
Resent-Message-Id: <E1Vjhvs-0002cS-Ft@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <jasnell@gmail.com>) id 1VjhvV-0002bX-Pq for ietf-http-wg@listhub.w3.org; Fri, 22 Nov 2013 04:01:05 +0000
Received: from mail-oa0-f42.google.com ([209.85.219.42]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <jasnell@gmail.com>) id 1VjhvT-0003BG-Ft for ietf-http-wg@w3.org; Fri, 22 Nov 2013 04:01:05 +0000
Received: by mail-oa0-f42.google.com with SMTP id i4so816611oah.29 for <ietf-http-wg@w3.org>; Thu, 21 Nov 2013 20:00:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ZTYXT9ir3fZaU32CSuAdpM/ZZXBDKMSuHib0e9TwGdk=; b=fdIK1G95l8/WsYeZuVyB0UZ9C5gMVXgaIwhEbrCb7olm5cjENJjQvbMtHFsuE/1uLW RlniMlbeh9DFygAHeE6JjLJ2DFuwnxyPiVZI45FYg3kXrvPzvHQ8VHdrZdygkNxi9OT6 MkuhbJfFL+rA51Zn424Mney38jh1NDqyo8qWm+vPzpdlVzz1BbKrUi/lilgILBMTGOuU Kw6QoeS1o2LFKmsED6nzghjtdnrCkmJHlNqX5Tnc7uOQnFfAiuIf2Yst8sfVSET4Q307 JrevBZh/SFqDrRcWcyoXp895UJBZ27u9chnKH497Y22O1it1DJaBbf1nssmWpqfVh73D U0og==
MIME-Version: 1.0
X-Received: by 10.60.52.81 with SMTP id r17mr8786908oeo.3.1385092836766; Thu, 21 Nov 2013 20:00:36 -0800 (PST)
Received: by 10.60.124.137 with HTTP; Thu, 21 Nov 2013 20:00:36 -0800 (PST)
Received: by 10.60.124.137 with HTTP; Thu, 21 Nov 2013 20:00:36 -0800 (PST)
In-Reply-To: <CAP+FsNf+z6qqr87QwOZZ_M9U-u7JxF+dBBv9SQzXz8-dcaMT1Q@mail.gmail.com>
References: <CABkgnnWRx25zQLdNKgyHNJyb8wRvqW6Vu1NC31HDZw+UhFFMqQ@mail.gmail.com> <75B91F2A-495A-4F2F-8031-41EEA94D5DC5@mnot.net> <CABP7RbcYDOT8aFn+2gS7R_ZLAhQ-PYCpFza78pwtLtNxBKo2Aw@mail.gmail.com> <CAP+FsNeUmE6Bpjy9-Bnd=DG6yHEGboM1ggDZqLg1cB2Cb=b_-Q@mail.gmail.com> <D2CFEBAB-3A91-4FA4-8A57-9F12A0641366@mnot.net> <CAP+FsNfSixNZZZZ5pgZFBhcadiW7XF7PG_21QLX+mGKXHjNtnA@mail.gmail.com> <B7226A0D-7FD6-4F1E-9BB9-90F2B352B84F@mnot.net> <CABP7Rbd+5G2aMh1o1T2CKpY02hn=rQSb5pUHG-xPm++sXOkCWA@mail.gmail.com> <CAP+FsNf+z6qqr87QwOZZ_M9U-u7JxF+dBBv9SQzXz8-dcaMT1Q@mail.gmail.com>
Date: Thu, 21 Nov 2013 20:00:36 -0800
Message-ID: <CABP7RbdwqmMRGXBecySQ17v6yv+6z2-5u_ib8Q--_-Hak0JJEQ@mail.gmail.com>
From: James M Snell <jasnell@gmail.com>
To: Roberto Peon <grmocg@gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org, Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a1133073a843af404ebbc0e90"
Received-SPF: pass client-ip=209.85.219.42; envelope-from=jasnell@gmail.com; helo=mail-oa0-f42.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.713, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1VjhvT-0003BG-Ft 15cf5f7ccf52d02a7d4c7c6fea2c8a6d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #305 Header ordering
Archived-At: <http://www.w3.org/mid/CABP7RbdwqmMRGXBecySQ17v6yv+6z2-5u_ib8Q--_-Hak0JJEQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/21126
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Order is supposed to be insignificant for Link and Prefer. There are others
which could, in theory appear more than once but typically don't.
If-None-Match, If-Match, If-Modified-Since, and If-Unmodified-Since for
example.

The various Auth headers are theoretically order agnostic also... But it
may be safer to preserve order on those.
On Nov 21, 2013 7:36 PM, "Roberto Peon" <grmocg@gmail.com> wrote:

> So far, the ones I know about are cookie and setcookie, but mainly because
> those are the ones that I care about.
> -=R
>
>
> On Thu, Nov 21, 2013 at 7:34 PM, James M Snell <jasnell@gmail.com> wrote:
>
>> Do we (yet) have a list of all the registered header fields for which
>> order is insignificant?
>>  On Nov 21, 2013 6:39 PM, "Mark Nottingham" <mnot@mnot.net> wrote:
>>
>>> I'm OK with that as long as we have the MUST... unless clause.
>>>
>>>
>>> On 22/11/2013, at 1:29 PM, Roberto Peon <grmocg@gmail.com> wrote:
>>>
>>> > As I understand it for either #1 or #3:
>>> > ordering between header values with the same key MUST use
>>> value-concatenation unless the header is known to not care about ordering
>>> (setcookie, etc.).
>>> >
>>> > thus, if we saw the following headers:
>>> >   foo: bar
>>> >   boo: hiss
>>> >   foo: baz
>>> >
>>> > then we'd expect to see foo: bar<delim>baz, and boo: hiss (or boo:
>>> hiss and foo: bar<delim>baz)
>>> >
>>> > If we had:
>>> >   set-cookie: a
>>> >   set-cookie: b
>>> >   foo: bar
>>> >   foo: baz
>>> > then we could expect:
>>> >   set-cookie: b
>>> >   set-cookie: a
>>> >   foo: bar<delim>baz
>>> >
>>> > In other words, ordering is always maintained except when we know it
>>> is safe to ignore.
>>> > -=R
>>> >
>>> >
>>> > On Thu, Nov 21, 2013 at 6:13 PM, Mark Nottingham <mnot@mnot.net>
>>> wrote:
>>> > Well, if by "handle" you mean "anyone who generates or modifies this
>>> header has to understand the special handling", yes...
>>> >
>>> >
>>> > On 22/11/2013, at 12:57 PM, Roberto Peon <grmocg@gmail.com> wrote:
>>> >
>>> > > All of the proposals handle any potential nondeterminism amongst
>>> header fields with the same name, so that isn't a problem...
>>> > >
>>> > > -=R
>>> > >
>>> > >
>>> > > On Thu, Nov 21, 2013 at 5:43 PM, James M Snell <jasnell@gmail.com>
>>> wrote:
>>> > > I would note also that implementations can vary on how they handle
>>> multiple header instances.  For instance, I've seen some impls that only
>>> pay attention to the first link header in a request while others only see
>>> the last one.  Nondeterministic ordering could cause bad things to occur.
>>> > >
>>> > > On Nov 21, 2013 5:29 PM, "Mark Nottingham" <mnot@mnot.net> wrote:
>>> > > So, *any* header that uses the list production *could* be sensitive
>>> to ordering.
>>> > >
>>> > > >From a quick look at the registry, besides cookies the following
>>> define a meaningful semantic for ordering:
>>> > >
>>> > > A-IM
>>> > > IM
>>> > > Accept-Language (maybe; see our note in p2)
>>> > > Content-Encoding
>>> > > Forwarded
>>> > > Via
>>> > >
>>> > > I can imagine a case where Content-Encoding is applied by an
>>> intermediary, but having more than one encoding isn't that common (which
>>> might lead to worse bugs, since intermediaries might not be written to
>>> check for an existing C-E and fold the headers).
>>> > >
>>> > > Via is interesting, because intermediaries are required to append to
>>> it as a message goes through it, and ordering is important for debugging
>>> (e.g., loop detection).
>>> > >
>>> > > Presumably X-Forwarded-For and Forwarded suffer from this as well.
>>> > >
>>> > > Another interesting case is one where a header field only allows one
>>> value, and an implementation picks the first one (for example) -- e.g.,
>>> Host. If ordering after compression isn't deterministic, it may be an
>>> attack vector.
>>> > >
>>> > > Cheers,
>>> > >
>>> > >
>>> > >
>>> > > On 22/11/2013, at 6:12 AM, Martin Thomson <martin.thomson@gmail.com>
>>> wrote:
>>> > >
>>> > > > Hervé made a few comments on github
>>> > > > (https://github.com/http2/http2-spec/issues/305) that I think
>>> needed
>>> > > > to be made here:
>>> > > >
>>> > > > Hervé:
>>> > > >>>>
>>> > > > There are at least to ways of providing ordering between headers:
>>> > > >
>>> > > > * Using null-separated list of values, and mandating that the
>>> > > > ordering of the values in these lists must be preserved.
>>> > > >
>>> > > > * Relying on the emission order. The only difficulty here is that
>>> the
>>> > > > ordering of the headers in the reference set can not be chosen by
>>> the
>>> > > > sending application. However tricks (like double indexed
>>> > > > representation) can be used by the encoder to enforce an order.
>>> > > >
>>> > > > If we are only targeting the ordering of cookies, then using
>>> > > > null-separated list of values is sufficient.
>>> > > >
>>> > > > * It stays in the main HTTP/2.0 spec, therefore is not dependent of
>>> > > > the header compression layer.
>>> > > >
>>> > > > * It allows removing from HPACK the emission ordering constraints.
>>> > > > <<<
>>> > > >
>>> > > > On the first, this contradicts a previous decision.  Cookies need
>>> to
>>> > > > be decomposed into pieces to get compression efficiency
>>> > > > (https://github.com/http2/http2-spec/issues/292).
>>> > > >
>>> > > > The actual ordering requirements are very narrow:
>>> > > >
>>> http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-25#section-3.2.2
>>> > > >
>>> > > > I see three options:
>>> > > >
>>> > > > 1. A null-delimiter and collapsing all header field instances for
>>> the
>>> > > > same name into the same value.
>>> > > >
>>> > > > 2. A requirement on the compression to preserve order (for fields
>>> with
>>> > > > the same name).  The best part about this is that it isn't that
>>> > > > difficult to achieve, because the only non-deterministic part of
>>> the
>>> > > > decoder is the reference set emission.  Make that deterministic
>>> (emit
>>> > > > in same order as last time; emit from highest table index to
>>> lowest)
>>> > > > and we avoid the need for null-delimited sequences altogether.
>>> > > >
>>> > > > An encoder then follows an algorithm where it forces emission of
>>> > > > header fields as they appear.  Items can be left in the reference
>>> set
>>> > > > if they are in the same order as last time (which requires a little
>>> > > > bit of accounting to implement, or you can double-emit the index
>>> and
>>> > > > avoid the accounting entirely).
>>> > > >
>>> > > > 3. Avoid the problem altogether and recommend the use of commas for
>>> > > > preserving order.  The only cases where this doesn't work is for
>>> > > > Cookie and Set-Cookie.  For those, I know it might sound a little
>>> > > > risky for some, but losing ordering might not be a bad thing there,
>>> > > > despite what 6265 says.
>>> > > >
>>> > >
>>> > > --
>>> > > Mark Nottingham   http://www.mnot.net/
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> >
>>> > --
>>> > Mark Nottingham   http://www.mnot.net/
>>> >
>>> >
>>> >
>>> >
>>>
>>> --
>>> Mark Nottingham   http://www.mnot.net/
>>>
>>>
>>>
>>>
>

v2.23.0 | Report a Bug | By Email