Re: site-wide headers
Mark Nottingham <mnot@mnot.net> Tue, 04 October 2016 08:06 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DACF129612 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 4 Oct 2016 01:06:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.917
X-Spam-Level:
X-Spam-Status: No, score=-9.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yl5PnBgoip5N for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 4 Oct 2016 01:06:46 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B1251295F8 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 4 Oct 2016 01:06:46 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1brKgD-0007w3-SW for ietf-http-wg-dist@listhub.w3.org; Tue, 04 Oct 2016 08:02:25 +0000
Resent-Date: Tue, 04 Oct 2016 08:02:25 +0000
Resent-Message-Id: <E1brKgD-0007w3-SW@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1brKg8-0007vI-Ju for ietf-http-wg@listhub.w3.org; Tue, 04 Oct 2016 08:02:20 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by lisa.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1brKfw-0003qp-97 for ietf-http-wg@w3.org; Tue, 04 Oct 2016 08:02:14 +0000
Received: from [192.168.3.104] (unknown [124.189.98.244]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id A544A22E256; Tue, 4 Oct 2016 04:01:43 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CABkgnnWDys91VF5xCBPc4+J8JQnj75VsGoLVkpXxM60egYd5GQ@mail.gmail.com>
Date: Tue, 04 Oct 2016 19:01:40 +1100
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Mike West <mkwst@google.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0885C73D-9C8C-47E2-9F91-6509BCF7C396@mnot.net>
References: <CABkgnnWDys91VF5xCBPc4+J8JQnj75VsGoLVkpXxM60egYd5GQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3226)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-8.3
X-W3C-Hub-Spam-Report: AWL=1.351, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1brKfw-0003qp-97 60cfa2ed94c69b82a694706cb947fc19
X-Original-To: ietf-http-wg@w3.org
Subject: Re: site-wide headers
Archived-At: <http://www.w3.org/mid/0885C73D-9C8C-47E2-9F91-6509BCF7C396@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32461
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hey Martin, CC:ing Mike to make sure he sees this. Mike, there's been a few messages on the HTTP WG list, you might want to have a look. > On 28 Sep. 2016, at 9:00 pm, Martin Thomson <martin.thomson@gmail.com> wrote: > > (https://tools.ietf.org/html/draft-nottingham-site-wide-headers-00) > > I like this approach because it is more obviously composable into an > existing system at the consuming end. I especially like that the > format is without opinion about its contents. That makes it quite > powerful. > > I dislike this approach (in contrast to the JSON-based > origin-policy[1]) because it uses header fields. Of course that makes > it better suited to HTTP. I dislike that the format is without > opinion about its contents. That makes it quite powerful. Mike and I have been talking about the proposals in back channel a bit. A modified origin-policy could take yet another path -- it could not try to convey headers at all, but instead just describe site-wide policy in JSON, defining new syntax to supplant existing site-wide headers where necessary. (the downside here being a nasty period where sites have to set up .well-known files *and* send response headers, and not mess it up) I'm not yet convinced which approach is better, but I'm fairly convinced that it should be one or the other ("just headers" or something new), not both. One of the advantages of doing this as "just headers" is that, as others on the thread have noted, it's easier for a hoster / CDN / etc. to insert/enforce policy in a way that's more purely mechanical. I'm probably going to continue working on the site-wide draft as well as send Mike some friendly pull requests; hopefully as we discuss this problem area, the right approach will become more apparent. > On balance, I think that this is a distinct improvement. Please disambiguate "this"? > One thing that this can't do but the origin-policy does is do > something to manage the downside of CORS. The idea that you might > give out a pass to avoid CORS preflight is very appealing. As far as > I can tell, this proposal cannot address that problem. It would be > justifiable to say that this is a completely different problem that > might build on this work, but it's a very appealing problem to look > at. Yes, I'd intended anything like that to be separately defined, as a new HTTP header, with the site-wide approach. > (It's tempting to suggest that you could include a label that just > applies to preflight requests, but I don't know how to solve the > origin enumeration problem. origin-policy seems to punt on that.) > > > ---Nits and suggestions > > I think that this needs a little more rigour in the definition of the > format and the algorithm. They should at least match. It's unclear > from the algorithm how blank lines (CRLF CRLF) are handled. Agreed, if it goes forward. > The character set for labels could be expanded a little to include > [0-9\-_] so that you can base64url things you might have lying around > to produce the label (or just keep the label very short). Nod. > You should also note another reason to keep things out of the h2 > header table: any change to the table eventually pushes entries out, > necessitating re-creation. This is more manageable because it is > directly under control. Yeah, that's not explicitly stated, but it's a strong motivation. > The draft should note that these advantages come with a cost in memory > to clients and that clients that receive unreasonably large header > sets can/should pretend that they don't exist. Nod. The nice thing is that they're per-origin, not per-connection, but it does have tradeoffs. > [1] https://wicg.github.io/origin-policy/ -- Mark Nottingham https://www.mnot.net/
- site-wide headers Martin Thomson
- Re: site-wide headers Willy Tarreau
- Re: site-wide headers Martin Thomson
- Re: site-wide headers Eitan Adler
- Re: site-wide headers Willy Tarreau
- Re: site-wide headers Mark Nottingham
- Re: site-wide headers Martin Thomson