site-wide headers
Martin Thomson <martin.thomson@gmail.com> Wed, 28 September 2016 11:05 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72EA612B0B0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 28 Sep 2016 04:05:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.337
X-Spam-Level:
X-Spam-Status: No, score=-9.337 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.316, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bO5KhmpjZoAV for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 28 Sep 2016 04:05:23 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6BE712B0B9 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 28 Sep 2016 04:05:22 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bpCbU-0007KD-T7 for ietf-http-wg-dist@listhub.w3.org; Wed, 28 Sep 2016 11:00:44 +0000
Resent-Date: Wed, 28 Sep 2016 11:00:44 +0000
Resent-Message-Id: <E1bpCbU-0007KD-T7@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1bpCbJ-0007JD-T5 for ietf-http-wg@listhub.w3.org; Wed, 28 Sep 2016 11:00:33 +0000
Received: from mail-qt0-f181.google.com ([209.85.216.181]) by lisa.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1bpCbI-0007QV-AK for ietf-http-wg@w3.org; Wed, 28 Sep 2016 11:00:33 +0000
Received: by mail-qt0-f181.google.com with SMTP id 11so20142189qtc.0 for <ietf-http-wg@w3.org>; Wed, 28 Sep 2016 04:00:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=8OvRZkP5G/rMGDxBhpbef7yI1x4+5v65W4m/zqCUMkQ=; b=slxyrp3fsR+HZLVLb480gwnFj3EJ/hm4E1raRMPHKZoNwA5OTtNGiouGlDTlYYYuO6 f03KBsbk0BFfutB/1ACLqc2P58AheKtnZnWgQDZCZ2PJFHLPNDjqc7lm8OVOnnBXQFvj sTZBeefpyMD2pFJM4+j78XT9j64gN6H6X1ns8gx0AYZse0sCoS8EY05KOEIl5mvDP9+0 JGCO27W/qoQtnrzQ0rDzRAL+c+SpBrl6keSgRYU3vUc8kZQDuP14qbT4XvP/yK7msFKA oAqqxPArDX+mAIteH2EFKHpGXWEpXhLJIpHk3QFGKcalnoqx7Oz/rTp4M8x3hm0DE8uD k0Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=8OvRZkP5G/rMGDxBhpbef7yI1x4+5v65W4m/zqCUMkQ=; b=lBavfQorYAttSuBCjqhZGnYbnMyfqZGsuPqwOFq8J+LiwQ5WM3ZttJtU2FqCgmgYsA EW/y9TplAtlYn2r4g5301Kqf8Hn0JqNQH1DK61FU1j3AOn1APGYPMsF8Q73omHqWWt9g PC0JhGz14hRxuCIAC3J29tk+lUh/asjv9ZIVpZZ0yCn0JG1EtwioWIXE84SRhnb2FEOl NKhBSsuZdIF2UE3rNyOqPJHlugUgDwHxGluwNMneCYdDjjvG67RGAE3rsgJC25mqH266 5XfBTgJfU304BQlXWqzVmF3llC3hPra0jThIVJKDDGv64mPWoAOzZF5NT1qlxSNO3i/B B7OA==
X-Gm-Message-State: AA6/9Rm4QfephT+2IaxWcTN0RhrK4LRScRyZ2ZqtJa3JhVj5FW61R3il51r3pQzymJSD+1kzdD6Bc8r9i+Zk2A==
X-Received: by 10.200.39.29 with SMTP id g29mr33279820qtg.88.1475060406441; Wed, 28 Sep 2016 04:00:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.22.146 with HTTP; Wed, 28 Sep 2016 04:00:05 -0700 (PDT)
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 28 Sep 2016 21:00:05 +1000
Message-ID: <CABkgnnWDys91VF5xCBPc4+J8JQnj75VsGoLVkpXxM60egYd5GQ@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.216.181; envelope-from=martin.thomson@gmail.com; helo=mail-qt0-f181.google.com
X-W3C-Hub-Spam-Status: No, score=-6.4
X-W3C-Hub-Spam-Report: AWL=0.333, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1bpCbI-0007QV-AK d022150eb70a2a2f68f974a6814b4e11
X-Original-To: ietf-http-wg@w3.org
Subject: site-wide headers
Archived-At: <http://www.w3.org/mid/CABkgnnWDys91VF5xCBPc4+J8JQnj75VsGoLVkpXxM60egYd5GQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32426
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
(https://tools.ietf.org/html/draft-nottingham-site-wide-headers-00) I like this approach because it is more obviously composable into an existing system at the consuming end. I especially like that the format is without opinion about its contents. That makes it quite powerful. I dislike this approach (in contrast to the JSON-based origin-policy[1]) because it uses header fields. Of course that makes it better suited to HTTP. I dislike that the format is without opinion about its contents. That makes it quite powerful. On balance, I think that this is a distinct improvement. One thing that this can't do but the origin-policy does is do something to manage the downside of CORS. The idea that you might give out a pass to avoid CORS preflight is very appealing. As far as I can tell, this proposal cannot address that problem. It would be justifiable to say that this is a completely different problem that might build on this work, but it's a very appealing problem to look at. (It's tempting to suggest that you could include a label that just applies to preflight requests, but I don't know how to solve the origin enumeration problem. origin-policy seems to punt on that.) ---Nits and suggestions I think that this needs a little more rigour in the definition of the format and the algorithm. They should at least match. It's unclear from the algorithm how blank lines (CRLF CRLF) are handled. The character set for labels could be expanded a little to include [0-9\-_] so that you can base64url things you might have lying around to produce the label (or just keep the label very short). You should also note another reason to keep things out of the h2 header table: any change to the table eventually pushes entries out, necessitating re-creation. This is more manageable because it is directly under control. The draft should note that these advantages come with a cost in memory to clients and that clients that receive unreasonably large header sets can/should pretend that they don't exist. [1] https://wicg.github.io/origin-policy/
- site-wide headers Martin Thomson
- Re: site-wide headers Willy Tarreau
- Re: site-wide headers Martin Thomson
- Re: site-wide headers Eitan Adler
- Re: site-wide headers Willy Tarreau
- Re: site-wide headers Mark Nottingham
- Re: site-wide headers Martin Thomson