delivery=same-origin | Re: Formalizing the HTTP State Tokens proposal.

Kari Hurtta <hurtta-ietf@elmme-mailer.org> Wed, 10 April 2019 17:03 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83FFB1203DE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 10 Apr 2019 10:03:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.899
X-Spam-Level:
X-Spam-Status: No, score=-2.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JMoL_lWEf6EB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 10 Apr 2019 10:03:14 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C60C6120414 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 10 Apr 2019 10:03:08 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1hEGa6-0001D7-Oc for ietf-http-wg-dist@listhub.w3.org; Wed, 10 Apr 2019 17:00:14 +0000
Resent-Date: Wed, 10 Apr 2019 17:00:14 +0000
Resent-Message-Id: <E1hEGa6-0001D7-Oc@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <khurtta@welho.com>) id 1hEGa4-00013M-Td for ietf-http-wg@listhub.w3.org; Wed, 10 Apr 2019 17:00:12 +0000
Received: from welho-filter4.welho.com ([83.102.41.26]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <khurtta@welho.com>) id 1hEGa0-0001ww-Iq for ietf-http-wg@w3.org; Wed, 10 Apr 2019 17:00:12 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 583F545C5D; Wed, 10 Apr 2019 19:59:45 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id Xx2ZDJvX56qE; Wed, 10 Apr 2019 19:59:44 +0300 (EEST)
Received: from kasvihuone.keh.iki.fi (89-27-39-95.bb.dnainternet.fi [89.27.39.95]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPS id 7F398285; Wed, 10 Apr 2019 19:59:39 +0300 (EEST)
In-Reply-To: <CAKXHy=d3xmsaCGYmnvDQXegMNf1j0gLbpRiLCaT1yr1r=jeueA@mail.gmail.com>
References: <CAKXHy=d3xmsaCGYmnvDQXegMNf1j0gLbpRiLCaT1yr1r=jeueA@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Date: Wed, 10 Apr 2019 19:59:39 +0300
From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
CC: Mike West <mkwst@google.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
X-Mailer: ELM [version ME+ 2.5 PLalpha49+]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20190410165945.583F545C5D@welho-filter4.welho.com>
Received-SPF: none client-ip=83.102.41.26; envelope-from=khurtta@welho.com; helo=welho-filter4.welho.com
X-W3C-Hub-Spam-Status: No, score=-4.7
X-W3C-Hub-Spam-Report: AWL=0.885, BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1hEGa0-0001ww-Iq 99fce831cfa1eb114d63347d79e708b2
X-Original-To: ietf-http-wg@w3.org
Subject: delivery=same-origin | Re: Formalizing the HTTP State Tokens proposal.
Archived-At: <https://www.w3.org/mid/20190410165945.583F545C5D@welho-filter4.welho.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36518
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

HTTP State Tokens
https://tools.ietf.org/html/draft-west-http-state-tokens-00


4.2.  The 'Sec-Http-State-Options' HTTP Header Field
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2

|   o  Exactly one member whose key is "delivery", and whose value is one
|      of the following tokens ([I-D.ietf-httpbis-header-structure],
|      Section 3.9): "same-origin", "same-site", or "cross-site".
|
|      If the "delivery" member contains an unknown identifier, the
|      member MUST be ignored.

This does not work for delivery=same-origin because 

Sec-Http-State: header field is generated on first reguest
and default is delivery=same-site.

That is before http client have seen Sec-Http-State-Options
reponse header field.


This solution is subset from my "Server/Site opt-in" suggestion
( <20190403182945.069B4C3F26@welho-filter2.welho.com>
   https://lists.w3.org/Archives/Public/ietf-http-wg/2019AprJun/0007.html

  That my "Server/Site opt-in" suggestion also needs
  some changes yet. It does not work well on subresources
  which need user opt in / opt out.
)

This solution includes also delivery=none for origins
which want mimize request size (delivery=none is not
state for user opt out).
( <20190328190729.F36474EEEA@welho-filter4.welho.com>
  https://lists.w3.org/Archives/Public/ietf-http-wg/2019JanMar/0251.html
)

On another mail I suggested to replace "same-site" with "same-domain".
I mark this now as "same-site" [or "same-domain"].
( <20190407171006.AD9EEB38@welho-filter3.welho.com> 
  https://lists.w3.org/Archives/Public/ietf-http-wg/2019AprJun/0013.html
)

This soulution  inserts
     
   Sec-HTTP-State: token=query

is request header when origin's delivery mode is not known.  This
is syntaxtically different from token which gives gives binary value
/ byte sequence because that uses * to indicate base64 encoded value.

( My some other suggestions use also

  Sec-HTTP-State: token=void

as request heaedr).



3.1.  HTTP State Tokens
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2

|   o  "delivery" specifies the initiating contexts from which the token
|      can be delivered.  It is an enum of either "same-origin", "same-
|      site", or "cross-site".  Unless otherwise specified, its value is
|      "same-site".

⇒

----
    o  "delivery" specifies the initiating contexts from which the token
       can be delivered.  It is an enum of either "query", "none", 
       "same-origin", "same-site" [or "same-domain"], or "cross-site".  
       Unless otherwise specified, its value is "query".
----

3.3.1.  Generate an HTTP State Token for an origin
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-3.3.1

|   2.  Let "token" be a newly created HTTP State Token with its
|       properties set as follows:
|
|       *  "creation": The current time.
|
|       *  "delivery": "same-site"

⇒

----

       *  "delivery": "query"

----

|       *  "key": null
|
|       *  "max-age": 3600
|
|
|       *  "value": 256 cryptographically random bits.


4.1.  The 'Sec-Http-State' HTTP Header Field
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.1

   
|   o  Exactly one member whose key is "token", and whose value is binary
|      content ([I-D.ietf-httpbis-header-structure], Section 3.9) that
|      encodes the HTTP state token's value for the origin to which the
|      header is delivered.
|
|      If the "token" member contains more than 256 bits of binary
|      content, the member MUST be ignored.


⇒

----

   o  Exactly one member whose key is "token". Value of this key
      is either a byte sequence (sh-binary, 
      [draft-ietf-httpbis-header-structure-09], Section 3.10) or a 
      token (sh-token, [draft-ietf-httpbis-header-structure-09], Section 3.9).

      The byte sequence encodes the HTTP state token's value for the origin to which the
      header is delivered. This is a binary content.

      If the "token" member contains more than 256 bits of binary
      content, the member MUST be ignored.
   
      The token value (as sh-token) is "query". This indicates that
      http client supports HTTP state tokens, but needs value
      for "deliver".

---- 

      ( On my other suggestions include token value (as sh-token) 
        which is "void". It also indicates that
        http client supports HTTP state tokens, but a binary content
        could not deliver. )

4.2.  The 'Sec-Http-State-Options' HTTP Header Field
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2

|   o  Exactly one member whose key is "delivery", and whose value is one
|      of the following tokens ([I-D.ietf-httpbis-header-structure],
|      Section 3.9): "same-origin", "same-site", or "cross-site".

⇒

----

   o  Exactly one member whose key is "delivery", and whose value is one
      of the following tokens ([draft-ietf-httpbis-header-structure-09],
      Section 3.9): "none", "same-origin", "same-site" [or "same-domain"], 
      or "cross-site".

      Note: "delivery"'s value "query" is initial value for metadata
            and not allowed on "Sec-Http-State" response header.

----


5.1.  Attach HTTP State Tokens to a request
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-5.1

   5a.  If "request-token"'s "delivery" is "null", then skip the remaining steps in
        this algorithm, and return without modifying the request.


   5b.  If "request-token"'s "delivery" is "query", then:

        1. The user agent MAY omit generating Sec-Http-State: request
           header if it determines that origin does not support
           HTTP State Tokens.

           It is not required that all URL's for the origin
           responds with Sec-Http-State: response header
           for query.

        Note: Sec-Http-State: response header for query 
              may be genrated only for certain URLs
              (for example login and/or front page's
               URLs).

        2.  Insert a member into "header-value" whose key is "token" and
            value is "query" (using sh-token syntax).

        3. Skip the remaining steps in this algorithm.


|      8.   Insert a member into "header-value" whose key is "token" and
|        whose value is "serialized-value".

⇒

----
       
   8.   Insert a member into "header-value" whose key is "token" and
        whose value is "serialized-value" (using sh-binary syntax).

-----


6.  Configuring HTTP State Tokens
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-6


|           +  "header" has a member named "delivery" whose value is not
|              one of the following tokens (Section 3.9 of
|              [I-D.ietf-httpbis-header-structure]): "same-origin",
|              "same-site", and "cross-site".

⇒

----

           +  "header" has a member named "delivery" whose value is not
              one of the following tokens (Section 3.9 of
              [I-D.ietf-httpbis-header-structure]): "none", "same-origin",
              "same-site" [or "same-domain"], and "cross-site".
----

/ Kari Hurtta