IETF Logo Mail Archive

Re: New Version Notification for draft-nottingham-proxy-explanation-00.txt

Ted Hardie <ted.ietf@gmail.com> Tue, 01 March 2016 00:06 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5A701A1AB9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Feb 2016 16:06:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.007
X-Spam-Level:
X-Spam-Status: No, score=-7.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.006, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NnK7vMaeiWTw for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Feb 2016 16:06:30 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F5061A1A8F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 29 Feb 2016 16:06:30 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aaXkv-0006RW-0Z for ietf-http-wg-dist@listhub.w3.org; Tue, 01 Mar 2016 00:01:37 +0000
Resent-Date: Tue, 01 Mar 2016 00:01:37 +0000
Resent-Message-Id: <E1aaXkv-0006RW-0Z@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ted.ietf@gmail.com>) id 1aaXkq-0006Pl-20 for ietf-http-wg@listhub.w3.org; Tue, 01 Mar 2016 00:01:32 +0000
Received: from mail-qk0-f173.google.com ([209.85.220.173]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <ted.ietf@gmail.com>) id 1aaXkk-0000ig-1j for ietf-http-wg@w3.org; Tue, 01 Mar 2016 00:01:29 +0000
Received: by mail-qk0-f173.google.com with SMTP id s68so63222172qkh.3 for <ietf-http-wg@w3.org>; Mon, 29 Feb 2016 16:01:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tOe9dQqmrPRSwQ8jDb86yQGoYHTDIgwkqNndMtP/P9w=; b=c7C8/g+oGKPdMZuc4V25ojH3uffTWz55jGtjnB9J4GKL3sJwwddf3tBrpgIGUh2foP y+sWjnlWKdS4tadY0BQ1OlGk6OXz8njX0qc5JdNAcsdU7HjTXwFGSaziZCnxUBVADUcO CikwD8BvBW7UzNwivKZJKaZAK+E0FaX5U3uRp7QSyLPVXyYFAIopsRnGm7OdjQ9fLvsO F8rWoc7vCsfPfL46h5ygeBEboowSIWSYWaLOE35BaVKj38v97LK6njfA8UrAVb/FxYbp P8S+gPciWMGSXF3qEbUdQCQYHM0HBXQFpOT08eS0ln1jp92XhvSr+Lz9t/VQffmkQ8rI BudA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tOe9dQqmrPRSwQ8jDb86yQGoYHTDIgwkqNndMtP/P9w=; b=F5P0cerMKES+OjFSJl0uZIKEltgDz9af/ejGEIx0eoBGLNUUgz0wufp3YfFgVh3C42 t0i2I9Oe/73rxzOrvahfdGs6YQSRtkIchzsvqmWazl/nvTz/UZOUbTVDMdcXcvtoXBnY UG9RMiiQk0c+ZJaWkgfqJ7Q3to7XZ3AeFX+q8W2uKo9SkHdwtpMK3uYwE4/p1OZzD93s l1XjHCRWotJLSed6Su1UXzqlzo4YxuqYtABWI6E+QVafen3kedp9WKJkkWRDQJq9wuzi /CCz/URBzkiUbgDxS23H0Z5GjjoVium4mI8Tukj8BJGGIKwBe5W8mh6abhZ2Ymlka1Rj lRvA==
X-Gm-Message-State: AD7BkJJ9At6Z5Fvxxijcb8XHRzK+8TPAeWLEGDvIN0Yvz3fDlV3Kapfh3XBDfThsClpsYo/krGNBGKBwqD4ftw==
X-Received: by 10.55.71.66 with SMTP id u63mr23065354qka.67.1456790459961; Mon, 29 Feb 2016 16:00:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.55.6.13 with HTTP; Mon, 29 Feb 2016 16:00:40 -0800 (PST)
In-Reply-To: <8BD7C79F-6882-43E5-B706-FA3335DBAA73@mnot.net>
References: <20160217003812.7831.6278.idtracker@ietfa.amsl.com> <56F7C2DF-06AA-477C-8515-C152CC3A56A4@mnot.net> <CA+9kkMC1Tce=eohXFSZfrD9cpJHOMOMKtoYqVbvUY3EwbboTqg@mail.gmail.com> <8BD7C79F-6882-43E5-B706-FA3335DBAA73@mnot.net>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Mon, 29 Feb 2016 16:00:40 -0800
Message-ID: <CA+9kkMC_y9Ubha4ESCBuzU85UUQs8K4VGme81kJmjx+2v_3cTw@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP WG <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a114a7974e0da85052cf17543"
Received-SPF: pass client-ip=209.85.220.173; envelope-from=ted.ietf@gmail.com; helo=mail-qk0-f173.google.com
X-W3C-Hub-Spam-Status: No, score=-7.5
X-W3C-Hub-Spam-Report: AWL=1.192, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1aaXkk-0000ig-1j e3b2c1cf97480107241f5eea662691f6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: New Version Notification for draft-nottingham-proxy-explanation-00.txt
Archived-At: <http://www.w3.org/mid/CA+9kkMC_y9Ubha4ESCBuzU85UUQs8K4VGme81kJmjx+2v_3cTw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31121
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Mon, Feb 29, 2016 at 3:49 PM, Mark Nottingham <mnot@mnot.net> wrote:

>
> >
> >
> > The document says about the HTML content in a 403 "but browsers are
> unwilling to show this to end users, since doing so would subject them to a
> potential man-in-the-middle attack."; this same reluctance seems to me
> likely to apply to the URL in the proposed JSON structure.  You note the
> issue considerations section, but seem to come down on the side of
> including it anyway.  Can you explain more about why? What's the other side
> of this trade-off look like, in your thinking?
>
> Browsers are unwilling to show HTML because it has the ability to
> masquerade as the origin; displaying a raw link doesn't, and there's
> significantly less chance that the user will be confused about that.
>
> Still, it'd be good to have a discussion about whether / when the URL
> should be displayed. I included it to have that discussion, mostly :)
>
> If we don't include it, I *suspect* it's going to be more difficult to
> meet some use cases (e.g., get support HERE, complain HERE), and I
> *suspect* proxies will just put links in the text anyway, to cut-and-paste.
>
> That kind of indicates that there may be a need for more than one URI, so
having a single "moreinfo" URI may not help avoid the cut-and-paste.  I
kind of suspect that the best thing to do is to provide the facility for
bare URIs in text, and ruthlessly suppress any ability to use anchor text
to hide what's in the URI.   That remains a bit of risk, but might be the
best balance.


>
> > I found it odd that the document talked about forbidding origin servers
> from generating the media type, rather than returning it a response.  Below
> you say it MUST NOT be used with 2xx or 3xx responses; it seems like you
> could also use similar language for origin server/CDN use.
>
> What's the use case for origin servers generating it?
>
> I don't have a use case for that, I was commenting on the oddity of
preventing them from generating it, rather than saying that MUST NOT return
it in a response (or even use it, as you say for 2xx and 3xx responses).  I
am perfectly willing to save my paint for other bikesheds, though.


>
> > The document says that "Clients MAY selectively support this media type.
> For example, an implementation might deem it only useful (or safe) in
> CONNECT requests."  Given the other restrictions, I don't use case outside
> of CONNECT, and I would normally say that you shouldn't send an accept
> header where you're not willing to receive the type; am I missing some of
> your thinking here?
>
> Interception proxies.
>
> So, a client should send this accept request with all queries in case
there is a friendly enough man in the middle to tell them that the traffic
is being prevented and why?  I can't picture that being the right
trade-off, personally, but I'd be interested in whether this sounds
plausible to other folk.

regards,

Ted



> Cheers,
>
>
>
> Mark Nottingham   https://www.mnot.net/
>
>

v2.23.0 | Report a Bug | By Email