delivery=same-origin | Re: Formalizing the HTTP State Tokens proposal.
Kari Hurtta <hurtta-ietf@elmme-mailer.org> Wed, 10 April 2019 17:03 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83FFB1203DE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 10 Apr 2019 10:03:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.899
X-Spam-Level:
X-Spam-Status: No, score=-2.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JMoL_lWEf6EB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 10 Apr 2019 10:03:14 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C60C6120414 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 10 Apr 2019 10:03:08 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1hEGa6-0001D7-Oc for ietf-http-wg-dist@listhub.w3.org; Wed, 10 Apr 2019 17:00:14 +0000
Resent-Date: Wed, 10 Apr 2019 17:00:14 +0000
Resent-Message-Id: <E1hEGa6-0001D7-Oc@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <khurtta@welho.com>) id 1hEGa4-00013M-Td for ietf-http-wg@listhub.w3.org; Wed, 10 Apr 2019 17:00:12 +0000
Received: from welho-filter4.welho.com ([83.102.41.26]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <khurtta@welho.com>) id 1hEGa0-0001ww-Iq for ietf-http-wg@w3.org; Wed, 10 Apr 2019 17:00:12 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 583F545C5D; Wed, 10 Apr 2019 19:59:45 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id Xx2ZDJvX56qE; Wed, 10 Apr 2019 19:59:44 +0300 (EEST)
Received: from kasvihuone.keh.iki.fi (89-27-39-95.bb.dnainternet.fi [89.27.39.95]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPS id 7F398285; Wed, 10 Apr 2019 19:59:39 +0300 (EEST)
In-Reply-To: <CAKXHy=d3xmsaCGYmnvDQXegMNf1j0gLbpRiLCaT1yr1r=jeueA@mail.gmail.com>
References: <CAKXHy=d3xmsaCGYmnvDQXegMNf1j0gLbpRiLCaT1yr1r=jeueA@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Date: Wed, 10 Apr 2019 19:59:39 +0300
From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
CC: Mike West <mkwst@google.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
X-Mailer: ELM [version ME+ 2.5 PLalpha49+]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20190410165945.583F545C5D@welho-filter4.welho.com>
Received-SPF: none client-ip=83.102.41.26; envelope-from=khurtta@welho.com; helo=welho-filter4.welho.com
X-W3C-Hub-Spam-Status: No, score=-4.7
X-W3C-Hub-Spam-Report: AWL=0.885, BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1hEGa0-0001ww-Iq 99fce831cfa1eb114d63347d79e708b2
X-Original-To: ietf-http-wg@w3.org
Subject: delivery=same-origin | Re: Formalizing the HTTP State Tokens proposal.
Archived-At: <https://www.w3.org/mid/20190410165945.583F545C5D@welho-filter4.welho.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36518
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
HTTP State Tokens https://tools.ietf.org/html/draft-west-http-state-tokens-00 4.2. The 'Sec-Http-State-Options' HTTP Header Field https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2 | o Exactly one member whose key is "delivery", and whose value is one | of the following tokens ([I-D.ietf-httpbis-header-structure], | Section 3.9): "same-origin", "same-site", or "cross-site". | | If the "delivery" member contains an unknown identifier, the | member MUST be ignored. This does not work for delivery=same-origin because Sec-Http-State: header field is generated on first reguest and default is delivery=same-site. That is before http client have seen Sec-Http-State-Options reponse header field. This solution is subset from my "Server/Site opt-in" suggestion ( <20190403182945.069B4C3F26@welho-filter2.welho.com> https://lists.w3.org/Archives/Public/ietf-http-wg/2019AprJun/0007.html That my "Server/Site opt-in" suggestion also needs some changes yet. It does not work well on subresources which need user opt in / opt out. ) This solution includes also delivery=none for origins which want mimize request size (delivery=none is not state for user opt out). ( <20190328190729.F36474EEEA@welho-filter4.welho.com> https://lists.w3.org/Archives/Public/ietf-http-wg/2019JanMar/0251.html ) On another mail I suggested to replace "same-site" with "same-domain". I mark this now as "same-site" [or "same-domain"]. ( <20190407171006.AD9EEB38@welho-filter3.welho.com> https://lists.w3.org/Archives/Public/ietf-http-wg/2019AprJun/0013.html ) This soulution inserts Sec-HTTP-State: token=query is request header when origin's delivery mode is not known. This is syntaxtically different from token which gives gives binary value / byte sequence because that uses * to indicate base64 encoded value. ( My some other suggestions use also Sec-HTTP-State: token=void as request heaedr). 3.1. HTTP State Tokens https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2 | o "delivery" specifies the initiating contexts from which the token | can be delivered. It is an enum of either "same-origin", "same- | site", or "cross-site". Unless otherwise specified, its value is | "same-site". ⇒ ---- o "delivery" specifies the initiating contexts from which the token can be delivered. It is an enum of either "query", "none", "same-origin", "same-site" [or "same-domain"], or "cross-site". Unless otherwise specified, its value is "query". ---- 3.3.1. Generate an HTTP State Token for an origin https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-3.3.1 | 2. Let "token" be a newly created HTTP State Token with its | properties set as follows: | | * "creation": The current time. | | * "delivery": "same-site" ⇒ ---- * "delivery": "query" ---- | * "key": null | | * "max-age": 3600 | | | * "value": 256 cryptographically random bits. 4.1. The 'Sec-Http-State' HTTP Header Field https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.1 | o Exactly one member whose key is "token", and whose value is binary | content ([I-D.ietf-httpbis-header-structure], Section 3.9) that | encodes the HTTP state token's value for the origin to which the | header is delivered. | | If the "token" member contains more than 256 bits of binary | content, the member MUST be ignored. ⇒ ---- o Exactly one member whose key is "token". Value of this key is either a byte sequence (sh-binary, [draft-ietf-httpbis-header-structure-09], Section 3.10) or a token (sh-token, [draft-ietf-httpbis-header-structure-09], Section 3.9). The byte sequence encodes the HTTP state token's value for the origin to which the header is delivered. This is a binary content. If the "token" member contains more than 256 bits of binary content, the member MUST be ignored. The token value (as sh-token) is "query". This indicates that http client supports HTTP state tokens, but needs value for "deliver". ---- ( On my other suggestions include token value (as sh-token) which is "void". It also indicates that http client supports HTTP state tokens, but a binary content could not deliver. ) 4.2. The 'Sec-Http-State-Options' HTTP Header Field https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2 | o Exactly one member whose key is "delivery", and whose value is one | of the following tokens ([I-D.ietf-httpbis-header-structure], | Section 3.9): "same-origin", "same-site", or "cross-site". ⇒ ---- o Exactly one member whose key is "delivery", and whose value is one of the following tokens ([draft-ietf-httpbis-header-structure-09], Section 3.9): "none", "same-origin", "same-site" [or "same-domain"], or "cross-site". Note: "delivery"'s value "query" is initial value for metadata and not allowed on "Sec-Http-State" response header. ---- 5.1. Attach HTTP State Tokens to a request https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-5.1 5a. If "request-token"'s "delivery" is "null", then skip the remaining steps in this algorithm, and return without modifying the request. 5b. If "request-token"'s "delivery" is "query", then: 1. The user agent MAY omit generating Sec-Http-State: request header if it determines that origin does not support HTTP State Tokens. It is not required that all URL's for the origin responds with Sec-Http-State: response header for query. Note: Sec-Http-State: response header for query may be genrated only for certain URLs (for example login and/or front page's URLs). 2. Insert a member into "header-value" whose key is "token" and value is "query" (using sh-token syntax). 3. Skip the remaining steps in this algorithm. | 8. Insert a member into "header-value" whose key is "token" and | whose value is "serialized-value". ⇒ ---- 8. Insert a member into "header-value" whose key is "token" and whose value is "serialized-value" (using sh-binary syntax). ----- 6. Configuring HTTP State Tokens https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-6 | + "header" has a member named "delivery" whose value is not | one of the following tokens (Section 3.9 of | [I-D.ietf-httpbis-header-structure]): "same-origin", | "same-site", and "cross-site". ⇒ ---- + "header" has a member named "delivery" whose value is not one of the following tokens (Section 3.9 of [I-D.ietf-httpbis-header-structure]): "none", "same-origin", "same-site" [or "same-domain"], and "cross-site". ---- / Kari Hurtta
- Formalizing the HTTP State Tokens proposal. Mike West
- Re: Formalizing the HTTP State Tokens proposal. Kari Hurtta
- Re: Formalizing the HTTP State Tokens proposal. Kari Hurtta
- Re: Formalizing the HTTP State Tokens proposal. Ilari Liusvaara
- Server/Site opt-in | Re: Formalizing the HTTP Sta… Kari Hurtta
- same-site |Re: Formalizing the HTTP State Tokens … Kari Hurtta
- delivery=same-origin | Re: Formalizing the HTTP S… Kari Hurtta
- cross-site | Re: Formalizing the HTTP State Token… Kari Hurtta
- key, register | Re: Formalizing the HTTP State To… Kari Hurtta
- Server/Site opt-in #2 | Re: Formalizing the HTTP … Kari Hurtta
- Signature | Re: Formalizing the HTTP State Tokens… Kari Hurtta
- Signature #2: No CBOR | Re: Formalizing the HTTP … Kari Hurtta