IETF Logo Mail Archive

Re: Issue #356: Form-encode Expect-CT report bodies?

Emily Stark <estark@google.com> Fri, 09 June 2017 14:56 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BEF8124BFA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 9 Jun 2017 07:56:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.501
X-Spam-Level:
X-Spam-Status: No, score=-6.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GAbxWWeBXnHk for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 9 Jun 2017 07:56:53 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 968D4129480 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 9 Jun 2017 07:56:53 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.84_2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1dJLJH-000859-QJ for ietf-http-wg-dist@listhub.w3.org; Fri, 09 Jun 2017 14:54:47 +0000
Resent-Date: Fri, 09 Jun 2017 14:54:47 +0000
Resent-Message-Id: <E1dJLJH-000859-QJ@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <estark@google.com>) id 1dJLJ9-00084G-EQ for ietf-http-wg@listhub.w3.org; Fri, 09 Jun 2017 14:54:39 +0000
Received: from mail-ot0-f177.google.com ([74.125.82.177]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <estark@google.com>) id 1dJLJ2-0007O0-Os for ietf-http-wg@w3.org; Fri, 09 Jun 2017 14:54:34 +0000
Received: by mail-ot0-f177.google.com with SMTP id i31so40026744ota.3 for <ietf-http-wg@w3.org>; Fri, 09 Jun 2017 07:54:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=z61M0D61jB6aZ9YxJh8bVugnt6x7sddckgVmNAUxBrM=; b=oWsERXEpa4v47w89xk8hUfx+A+TV7bFgw7szlZKsCXfkvHxD2H/7i+Q+svWpYaifOW Ieu4uaA+CZwvmVNZQFMhvh2kMdFBRkMohkGxMpaZOW7wy6kMN4Zb5HF5W0B6pG1UkJZm x06hm5go8wc4EQq1xiGQZIt1xbxrXbdptM5YeLxXv3qZWdGxarC+n0kHoUieFhNS3wS6 MMnWzK5OKZJRScFmy27XVMtnaOs3n2DAHC34y4c+bKAgzX1IuQi/0TGF/Q2MYETu2CYK ugvKcnd1VXfjT56ZrV8zKTDUeCEv96JCcCjrBo5WQx50xTRvPBXVdG+WsYnd0IWY1agT qlYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=z61M0D61jB6aZ9YxJh8bVugnt6x7sddckgVmNAUxBrM=; b=fYMomQ1Q6amDkzZKjChR2ERdxsSHw9ZPQLVmXkfPu7+Wv5V7KjJQ+EYwi+Wr1rgJFa 8dsjLJwZ9vGk0NVsz0caRdLWFK1ylxTReti/+omn7SQBhV7U3Ug04dtXeWhrq1CfY1ik ap+nc7qDqOIKYJ24syCCh624OiOscZ7S8/GCI4KCHXXuJd1dXvlb7ozTTT10bdxziBlB XdeW+l+h5KcRch76XcKreuUkxBQDv5kVcdU2irqNr6b4aThRnbLUV5sdZ1JKfWujjZoC s+eSQjPbdTTxHsrB0uIsjihgoGR+tYY7pHaR1lKd6F81pWgkPlxunywX2YtA4DDeHvFp xULg==
X-Gm-Message-State: AODbwcC6BhfT2L07f2KkOXsku2rJYqs7YnFQpQMR1lcu2Q/rGbeawiNQ x98+vg+A9izLqGjYZkKapOjavx03tL5T
X-Received: by 10.157.36.132 with SMTP id z4mr23587523ota.158.1497020046361; Fri, 09 Jun 2017 07:54:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.66.86 with HTTP; Fri, 9 Jun 2017 07:53:45 -0700 (PDT)
In-Reply-To: <CABkgnnWU09-kV8gAu6xZV7n-rvrmL6R98EzA7O7nxTjBMFntpQ@mail.gmail.com>
References: <CAPP_2Sa+6eSAChgp8KrzabPJUkMmiKBhWp1dFhS0zOVnXrenLw@mail.gmail.com> <CAOdDvNoStrOu=SSZJrKMsQFjG2YVtiLqMdvXP_1PKJ_a+58Mfw@mail.gmail.com> <CABkgnnUVYB1Dqh4efe25bKx=-2iOBXHZg=3fgXjvbRn28b6nuw@mail.gmail.com> <CAOdDvNqquZymrmE3i3DFfdgVUuq-iWxr0+jvO3AF0NymnJK9Zg@mail.gmail.com> <CAPP_2SYNkReoDOjRKdEWtrP=ZGhPO2mKCoQm9Pm7LjcNLyoC+Q@mail.gmail.com> <CAPP_2SYLpKBo-rWV4oMG7V3FeN4aZ7fZEOdFgwFC8ASmFKmvqA@mail.gmail.com> <CABkgnnWU09-kV8gAu6xZV7n-rvrmL6R98EzA7O7nxTjBMFntpQ@mail.gmail.com>
From: Emily Stark <estark@google.com>
Date: Fri, 09 Jun 2017 07:53:45 -0700
Message-ID: <CAPP_2Sa7b3XTgFE0VcF7-ffxYMOuhR8vHTROL88RDus4foP8CA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, httpbis <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@annevk.nl>
Content-Type: multipart/alternative; boundary="94eb2c04f494165527055188242b"
Received-SPF: pass client-ip=74.125.82.177; envelope-from=estark@google.com; helo=mail-ot0-f177.google.com
X-W3C-Hub-Spam-Status: No, score=-3.7
X-W3C-Hub-Spam-Report: AWL=2.348, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1dJLJ2-0007O0-Os 549fe151972ffa26c74edeae42a467f2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Issue #356: Form-encode Expect-CT report bodies?
Archived-At: <http://www.w3.org/mid/CAPP_2Sa7b3XTgFE0VcF7-ffxYMOuhR8vHTROL88RDus4foP8CA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33972
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, Jun 9, 2017 at 7:42 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 9 June 2017 at 16:38, Emily Stark <estark@google.com> wrote:
> > Does anyone else have an opinion? If not, I'll probably go with
> text/plain.
>
>
> After considering this, I would prefer to have this added to the CORS
> exception list in the same way that CSP reporting is.  It is better to
> have an accurate MIME type with an exception and accompanying analysis
> of why it is safe to send these payloads than it is to just have the
> spec try to route around the problem (tempting and easy as that might
> be).
>

CSP reporting isn't added to the CORS whitelist. It's been in violation of
CORS for years and there are some vague plans to fix it by sending
preflights, but adding it to the whitelist hasn't really been discussed.
Anne has said that he prefers not to add more to the whitelist, which I
think is a reasonable stance. (see
https://lists.w3.org/Archives/Public/public-webappsec/2017Feb/0009.html --
though to be fair, the same text/plain idea is rejected in that thread as
well)

In addition to the fact that there's not really any principled reason for
expanding the whitelist, it would mean that, say, an XHR can send the new
header value, which shouldn't really be allowed.

v2.23.0 | Report a Bug | By Email