IETF Logo Mail Archive

Re: No-Vary-Search

Mark Nottingham <mnot@mnot.net> Fri, 14 June 2024 01:10 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7137EC169422 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 13 Jun 2024 18:10:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.858
X-Spam-Level:
X-Spam-Status: No, score=-2.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="eAfwLDmF"; dkim=pass (2048-bit key) header.d=w3.org header.b="qIpuw8va"; dkim=pass (2048-bit key) header.d=mnot.net header.b="UnmI0E00"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="WJwmcthz"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTplr_XFKRDS for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 13 Jun 2024 18:10:27 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79B67C151073 for <httpbisa-archive-bis2Juki@ietf.org>; Thu, 13 Jun 2024 18:10:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:To:References:Message-Id:Cc:Date:In-Reply-To:From: Mime-Version:Content-Type:Reply-To; bh=G9g+P3dzb1Nogy2w4IT+M0eTthuW8h4YuBy2ODYa/+E=; b=eAfwLDmF7HAmObAt4j5lIw1DAZ rVcS41prb6RELi4nmuWu6QcWlfJpalj91/3wxFymGmKl7GwRkk9n0oimZm3kfK5Ulu7rOEdsR52Jv wXmFzMV0qLXzF4uj39R5vBY0GbqIaes5xi9YBZ3viO+WYrkLeUv3gBQH14UK+FJzfAqCwuPjr93f+ 0GXnsZIXrgsr2yijMdoKoY6u6AQTNXvfXCl8wrSfCcGZm1sqjX8atCaAtAQipeQmYPuXkZgWAA+K3 Y5VheLo8Ni6VWokbScTxz2LXwodLzP8w/rO7jalhH8QspyvcD3qWrRW5/uhH2fkWyBFNdcPW5vDeO NiH2Lfuw==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sHvRc-004IcE-0o for ietf-http-wg-dist@listhub.w3.org; Fri, 14 Jun 2024 01:09:32 +0000
Resent-Date: Fri, 14 Jun 2024 01:09:32 +0000
Resent-Message-Id: <E1sHvRc-004IcE-0o@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <mnot@mnot.net>) id 1sHvRZ-004IbI-00 for ietf-http-wg@listhub.w3.internal; Fri, 14 Jun 2024 01:09:29 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=To:References:Message-Id:Cc:Date:In-Reply-To:From:Subject: Mime-Version:Content-Type:Reply-To; bh=G9g+P3dzb1Nogy2w4IT+M0eTthuW8h4YuBy2ODYa/+E=; t=1718327368; x=1719191368; b=qIpuw8vaydjhsd4T/5U3bQf6JfmVx4MCoMY4DkMcmFoNMPRHA0Wq8jNxWRjDIvOzBX1+YZajseG Awv0P2ViXp+nvEf3xyEF/1j2BZd+X0gRqmshpY2Yrr56KmmL1RipTrs9n4lFFe8ioHsfQ8PYYkHNC +gnQOmunSHYfdYCDn5GsDpjmfx1VnV6JDlenOSzQe0NMqKPHU4fn3jGUmVCxi1HW0AIzvgnsUr+Pr Hm1GViqAIbWPjcgPbSEUe6pJsJJUx2KVsONjfLsKCF1oV97IW9M1Fcf7e4QRQDRzTifVL70TMYpi7 JmYe99xAcGKGPEM1vrulTq0G2zNZc0WEnyLw==;
Received-SPF: pass (pan.w3.org: domain of mnot.net designates 64.147.123.155 as permitted sender) client-ip=64.147.123.155; envelope-from=mnot@mnot.net; helo=wfhigh4-smtp.messagingengine.com;
Received: from wfhigh4-smtp.messagingengine.com ([64.147.123.155]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <mnot@mnot.net>) id 1sHvRX-00EnxE-33 for ietf-http-wg@w3.org; Fri, 14 Jun 2024 01:09:28 +0000
Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailfhigh.west.internal (Postfix) with ESMTP id 9D977180012F; Thu, 13 Jun 2024 21:09:23 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Thu, 13 Jun 2024 21:09:23 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1718327363; x=1718413763; bh=G9g+P3dzb1Nogy2w4IT+M0eTthuW8h4YuBy2ODYa/+E=; b= UnmI0E00qDNquO/lwHrKiYX+C8yD4yqkwI53Xr+X8hKjDdFnWhpNOgGdAxee1nhs pMvZEffG1N83OjeXSfx2RiDbBf6omCMRXXtnw9HNIzi2ImswYH6D69opKjfdPWx/ GDnZWldKUZ7qfvGTcSeHSIXXmuCfbAToZ7a6usUQ/bzEm3ULiLQ+uRRUPrEkL+jW 0+D0rU50j8K8ldKdaI7xykrq/tVxYCSzPASJaINrmN0bADs376Up2yz/Z2rZgtnO 5498uTASxgkJeZfZA+2rY8u70mb8jwtHH6u9D5w+c8oSTuwnbto8erLtUtie8lV6 nTMFQyWrinjkRdskwZBlNA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1718327363; x= 1718413763; bh=G9g+P3dzb1Nogy2w4IT+M0eTthuW8h4YuBy2ODYa/+E=; b=W JwmcthzGg7dPNYq3SVTCoqtnt5ij5YoAmXYvg79cutKFvF74JPAaDaYjtTivoW3t StEXdAgqXPkmdELCTUcS3pgbJYwBklbkKFya9EAJTH/drShiMcQyKe4aC7LP1p/9 MGDq39MU6RtVkcgIwm+Xh6WLYYksrSt2vCs2gmujrmMF3rS7zstiQ+2Yif55MqOr mgknkKiwXuMOkKtIEVdhEyNe8hC3n0SMk7trBez1mL0KXCgUHLSTsXGxdOQ8rqhX 53AHqgyTcPSTKOIzxxQasnDMdMcQXIMinHoebYOCELyxJdTqMH8ZUzteuu8eALkS m8Xd+eU2yTBki0H5GCchw==
X-ME-Sender: <xms:Q5hrZoftyYvlday8JsXpP8NXZUP_uCBXmS6TD412vFyHU9IFWzvzRA> <xme:Q5hrZqOIy0IfkLi52HeNK8B4AV9UD5yagcwFWe2v8fJjdKVFxGiCmYooM8CwOFBhv 8Pb5Lb_4dPcPTeF7g>
X-ME-Received: <xmr:Q5hrZpj3D5WKWBc4cvPeZn2RWvAGXF0h9SUH4THIMRSo7Ba7g84mYDGroCKDedvnF1qBZdTSUTOfKia790TLKhucxaQ-ssKqJFLWePeu6pyIerijw3ECC3_n>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrfedukedggeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne goufhushhpvggtthffohhmrghinhculdegledmnecujfgurheptggguffhjgffvefgkfhf vffosehtqhhmtdhhtdejnecuhfhrohhmpeforghrkhcupfhothhtihhnghhhrghmuceomh hnohhtsehmnhhothdrnhgvtheqnecuggftrfgrthhtvghrnheptddugfelffdvhfdvffdt tddukedtvedvhfduvedujedtkeeuueefudehhefgtefhnecuffhomhgrihhnpehglhhuvg hlohhgihgtrdgtohhmpdhrfhgtqdgvughithhorhdrohhrghdpihgvthhfrdhorhhgpdif hhgrthifghdrohhrghdptghhrhhomhgvrdgtohhmpdgvfhhfrdhorhhgpdhgihhthhhusg drihhopdhmnhhothdrnhgvthdptghlohhuughflhgrrhgvrdgtohhmpdhfrghsthhlhidr tghomhdprghkrghmrghirdgtohhmpdhhthhtphgurdhsohenucevlhhushhtvghrufhiii gvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmnhhothesmhhnohhtrdhnvght
X-ME-Proxy: <xmx:Q5hrZt9nQiVtzBCRtOOYdPPmFNqO_bQnU8ihMZ3JCIDBlyWEbX1h4w> <xmx:Q5hrZktYcOaSP-eOPRPNcRdE9DhVQCeYfBYVTWjf8Yc5GENAdlf8Xw> <xmx:Q5hrZkGWM_1qZGhcecTgEiRYtJcTaek1anfX11HDRPWwCgiOnd4Mvw> <xmx:Q5hrZjPxfnwKPwcBLJneHuGx3rzSDcau0_0zhog_jA89mZ-cxZ7K_g> <xmx:Q5hrZmJTfMKN0QW5k1Q2GOW9HwT4yveMYgU7lx-hbjHwrsk0CGbmYhiw>
Feedback-ID: ie6694242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 13 Jun 2024 21:09:21 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <ZmuHKSKBZpXkd115@xps13>
Date: Fri, 14 Jun 2024 11:09:17 +1000
Cc: Jeremy Roman <jbroman@chromium.org>, ietf-http-wg@w3.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5A2743FB-BE1F-43CB-8654-040C5B7298CF@mnot.net>
References: <CACuR13cnHHoRv_Z-HtJeOyJqZb7AVU-_udQ=R_x9qQ1_JeP=KQ@mail.gmail.com> <EA99B248-7BD2-489F-8D86-8EE95D81F661@mnot.net> <CACuR13fHj9_rryosf4T6Z5JJ7JufjzCRrvR_O2_ch9iCk6N3wA@mail.gmail.com> <2C13B3A8-A92A-40B4-BE62-691C7D75DBE9@mnot.net> <CACuR13fozvsaugCiNM9Ppo1NH_tQ4MdnYfaX2nuHVhq-cVt65Q@mail.gmail.com> <Zmqq4b0eoYLBXftb@xps13> <CACuR13fy8jFDBpsJ6-pp7MQ-xxSivM6BCRX5vz+cnVdVi45t_Q@mail.gmail.com> <ZmuHKSKBZpXkd115@xps13>
To: gs-lists-ietf-http-wg@gluelogic.com
X-Mailer: Apple Mail (2.3774.600.62)
X-W3C-Hub-DKIM-Status: validation passed: (address=mnot@mnot.net domain=mnot.net), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=mnot@mnot.net domain=messagingengine.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-9.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1sHvRX-00EnxE-33 ad811748c902134e0a7110f7113c23bd
X-Original-To: ietf-http-wg@w3.org
Subject: Re: No-Vary-Search
Archived-At: <https://www.w3.org/mid/5A2743FB-BE1F-43CB-8654-040C5B7298CF@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52014
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

From a chair's perspective -- the important thing to establish at this point is whether the WG thinks there's a problem to solve here, and whether this is _approximately_ the right starting point. Document formatting and details of the specification aren't as relevant at this early stage.

Cheers,


> On 14 Jun 2024, at 9:56 AM, gs-lists-ietf-http-wg@gluelogic.com wrote:
> 
> On Thu, Jun 13, 2024 at 05:50:05PM -0400, Jeremy Roman wrote:
>> This is a little hard to read in the plaintext rendering, I'll admit. It's
>> marginally better in the HTML rendering (though even then, the stylesheet
>> makes it only slightly distinguishable).
> 
> Yes, I read the plaintext draft.
> 
>> WHATWG/W3C specs tend to be read in the HTML rendering, where these links
>> would have been blue and underlined. If quotation marks would help with
>> readability in addition to the section cross-link, that's certainly a
>> typographical change I can make.
> 
> I believe that IETF desires RFCs to be readable in more than HTML,
> but I am not the person to provide guidance on that.  Would the chair
> advise?
> 
>> There are many references in the doc to WHATWG specs rather than IETF
>>> specifications for URLs.  Is this intentional?
>>> 
>> 
>> The embodiment we (Google Chrome) have been working on is in a web browser
>> which implements the WHATWG URL specification, and we want this to be
>> useful in web browsers (and HTTP servers which are interacting with web
>> browsers), so being compatible with the way browsers deal with query
>> strings (namely, the application/x-www-form-urlencoded parser, which is
>> used for, for instance, the URLSearchParams object exposed to JavaScript
>> code).
>> 
>> I'm less familiar with the IETF specifications that other uses of HTTP use,
>> though for instance RFC 3986 (Uniform Resource Identifier: Generic Syntax)
>> doesn't say much beyond "query components are often used to carry
>> identifying information in the form of 'key=value' pairs", and RFC 9110
>> (HTTP Semantics) §4.1 simply specifies that this is an optional URL
>> component in the "http" and "https" URI schemes. This doesn't provide
>> enough for the purposes of this document, even if the two are otherwise
>> compatible (which I'm not sure they are).
> 
> If WHATWG spec provides a stricter query string format variant,
> and this RFC draft requires use of that stricter or different
> formatting variant, then the differences should be highlighted.
> 
> e.g.
> "No-Vary-Search uses a variant of query string format defined in WHATWG
> (reference) which is stricter than the varieties of query string syntax
> allowed in RFC (reference)."
> 
> A reference to the WHATWG ABNF for the stricter format variant of the
> query string is also recommended.
> 
>>> The document does not mention the implication of the union of variants
>>> between Vary and No-Vary-Search response headers.  A CDN or browser
>>> might have to limit the number of variants cached.
>>> 
>> 
>> At present the limitations on the cache are not present here, just logic to
>> determine whether a response is suitable to be used. RFC 9111 (HTTP
>> Caching) §4.1 deals with the analogous question for existing variants to a
>> limited extent:
>> 
>> """
>> 
>> If multiple stored responses match, the cache will need to choose one to
>> use. When a nominated request header field has a known mechanism for
>> ranking preference (e.g., qvalues on Accept and similar request header
>> fields), that mechanism MAY be used to choose a preferred response. If such
>> a mechanism is not available, or leads to equally preferred responses, the
>> most recent response (as determined by the Date header field) is chosen, as
>> per Section 4
>> <https://www.rfc-editor.org/rfc/rfc9111#constructing.responses.from.caches>.
>> <https://www.rfc-editor.org/rfc/rfc9111#section-4.1-6>
>> 
>> Some resources mistakenly omit the Vary header field from their default
>> response (i.e., the one sent when the request does not express any
>> preferences), with the effect of choosing it for subsequent requests to
>> that resource even when more preferable responses are available. When a
>> cache has multiple stored responses for a target URI and one or more omits
>> the Vary header field, the cache SHOULD choose the most recent (see Section
>> 4.2.3 <https://www.rfc-editor.org/rfc/rfc9111#age.calculations>) stored
>> response with a valid Vary field value.
>> 
>> """
>> I anticipated that any discussion of this issue would make most sense as
>> part of any (not yet present) text discussing how this supplements RFC
>> 9111. Are there novel considerations here about CDN and browser limits that
>> merit specification?
> 
> A reference to that might be sufficient to acknowledge that this RFC
> extends caching concerns for clients and caching intermediaries.
> 
>> Overall, this document uses idioms I am less familiar seeing in RFCs.
>>> Maybe these idioms are more typical in WHATWG documents, but the
>>> pseudo-code is different than what I typically see in RFCs.
>>> Perhaps I am not familiar with the pseudo-markup variant, but it does
>>> not look like markdown to me.
>>> 
>> 
>> This is actually the RFC <em> element
>> <https://authors.ietf.org/en/rfcxml-vocabulary#em> (semantic emphasis) as
>> submitted, which is rendered in the plaintext rendering as leading and
>> trailing underscores, but in the HTML and PDF renderings as italics. It's
>> used here to set apart variable names from other text, because italics is
>> the typographical convention for doing so in WHATWG/W3C algorithm
>> pseudo-code. Not setting it apart at all might make it harder to skim the
>> pseudocode (e.g., to clearly tell which values are used where), but it's
>> certainly a bit noisy.
>> 
>> e.g. To _parse a URL search variance_ given _value_:
>>> See also my confusion above reading
>>>  "The obtain a URL search variance algorithm"
>>> which could have been
>>>  "The _obtain a URL search variance_ algorithm"
>>> using the _every-other-word_ idiom from Section 4,
>>> though _I_ _am_ _personally_ _not_ _a_ _fan_ _of_ _this_ formatting.
>>> My preference would suggest using a real language (any one), instead of
>>> pseudo-code, to create a reference implementation, if that is the goal.
>>> Add comments to describe required behavior to clarify the reference
>>> implementation.
>>> 
>> 
>> It's a pseudo-code that is typical in WHATWG/W3C documents (
>> https://infra.spec.whatwg.org/#algorithms) Those bodies tend to prefer
>> explicit pseudo-code algorithms, as I understand it, because it forces the
>> algorithm to be unambiguous about some precise aspects of the required
>> behavior that are easy to gloss over in natural language (though of course,
>> it's not the only way of doing so).
>> 
>> While the particular flavour of pseudo-code may not be familiar to this
>> group, I have seen similar pseudo-code in documents such as RFC 8941
>> (Structured Field Values for HTTP) which are relevant to this venue.
> 
> Again, I read the plaintext draft.  Let's wait for guidance from others
> about document formatting and instead discuss content.
> 
>> The No-Vary-Search syntax with "except" reads to me as a double-negative:
>>>  No-Vary-Search: params, except=("x")
>>> 
>>> Not knowing how far along this spec document is, was naming the header
>>> "Vary-Search" considered?  With "Vary-Search", inverting the logic would
>>> suggest "params" to default to all params varying (same as not
>>> specifying Vary-Search), and "except" could be "no-vary"
>>>  Vary-Search: params, no-vary=("x")
>>> to indicate no-vary for "x", or
>>>  Vary-Search: params, no-vary
>>> to indicate all search params are no-vary (wildcard).
>>> 
>> 
>> Yes, it was considered. This choice was made because it means that an
>> absent header, or empty header value, should reflect that existing HTTP
>> semantics are used.
> 
> The same applies to the theoretical "Vary-Search" I described.
> 
>> Since the default behavior is to vary on *all* parameters,
>> their order, and in fact even the way those parameters are encoded in the
>> URL, that means that the behavior of the header is naturally opposite to
>> Vary (which starts from a default behavior of varying on *no* header
>> fields).
> 
> That is more a definition than a reason.  Ok, I get that choice was
> made, but why is it better than non-inverted logic?
> 
>> This does lead to a double negative, unfortunately, with the use of the
>> term "vary". Conceptualizing it instead of as "not varying" as "is the same
>> resource" addresses that (i.e., "This resource *is the same resource* as if
>> it had been requested with other query parameters, except if x differs."
>> has no double negative). Drawing the clear connection with Vary (which is
>> well-known), though, seemed worth the double negative.
> 
> Respectfully, I disagree.
> 
> This header needs to be processed by caching intermediaries and client
> for caching, just like "Vary" needs to be processed for caching
> variants.  Caching variants will have to process and *invert* the logic
> of "No-Vary-Search" to produce the "Vary"-set of varying parameters.
> 
> Put another way, storing the variant requires construction of a cache
> key for the variant, which is some sort of encoding of the varying
> parameters.  Since the set of varying parameters needs to be collected,
> it makes more sense to me to have Vary and Vary-Search, rather than
> Vary and invert-the-logic-of No-Vary-Search.  However, since
> No-Vary-Search supports both positive and a negative ("except") ways to
> define the varying search parameters or non-varying search parameters,
> you might argue the opposite, depending on which version (positive or
> negative) of No-Vary-Search you think may be used more frequently.
> 
>> 7.  Privacy Considerations
>>> 
>>> The ability to cache variants based on search parameters could possibly
>>> compromise privacy due to fingerprinting and the ability to detect cache
>>> hit versus cache miss even with coarse timing resolution.
>>> 
>> 
>> Can you elaborate? If anything, I would have expected that disregarding
>> certain query parameters would mean that someone probing the cache can
>> learn *less* about which values of that query parameter have been seen by
>> the cache previously.
>> 
>> In the context of web browsers, this sort of attack is also mitigated by HTTP
>> cache partitioning
>> <https://developer.chrome.com/blog/http-cache-partitioning> which is now
>> specified (incompletely) by the WHATWG Fetch standard
>> <https://fetch.spec.whatwg.org/#http-cache-partitions>.
> 
> If I have 10 different sets of 16-urls each, can I use caching to create
> a tracking identifier if I assign the client one url from each of those
> 10 sets and create a 10-hexdigit identifier?  Fetching all the URLs and
> detecting which ones are cached might reveal the identifier?  When I
> assign the URLs, I can assign a non-vary parameter 'tracker=1'.  When
> a different page on a different site is requesting all the URLs to
> detect which are cached, the client can add non-vary parameter
> 'tracker=0'.  The server responding can assign HTTP caching headers
> based on the response.  Anyway, this is not my area of expertise.
> Yes, CORS headers factor in, but takes effort to set up properly, and
> "properly" might be malicious if those headers are from malicious sites.
> 
> https://coveryourtracks.eff.org/
> 
> Some of your colleages at Google would be able to better explain all the
> creative ways Google is fingerprinting clients in addition to cookies.
> 
> Cheers, Glenn
> 
>> Cheers, Glenn
>>> 
>>> 
>>> On Wed, Jun 12, 2024 at 01:23:23PM -0400, Jeremy Roman wrote:
>>>> In the interest of continuing discussion on this list, the WICG draft has
>>>> been reformatted in RFC format and reported to the Datatracker:
>>>> 
>>>> https://datatracker.ietf.org/doc/draft-wicg-http-no-vary-search/01/
>>>> or directly on GitHub
>>>> 
>>> https://jeremyroman.github.io/http-no-vary-search/draft-wicg-http-no-vary-search.html
>>>> 
>>>> The text has been left mostly unchanged so far (modulo very small
>>> editorial
>>>> changes), and does not yet reflect any change to RFC 9111 behavior
>>> (though
>>>> hopefully it's clear what those changes would be, from the existing
>>> text).
>>>> 
>>>> On Tue, Mar 19, 2024 at 2:26 AM Mark Nottingham <mnot@mnot.net> wrote:
>>>> 
>>>>> Hi Jeremy,
>>>>> 
>>>>>> On 19 Mar 2024, at 11:44, Jeremy Roman <jbroman@chromium.org> wrote:
>>>>>> 
>>>>>> Unfortunately it is not possible for me to join personally (time
>>> zones
>>>>> and personal complications). We might be able to brief a Chrome team
>>> member
>>>>> who is attending if there is interest (depending when this is), though
>>> as
>>>>> you point out it would necessarily be a fairly brief overview on short
>>>>> notice (so it might not be possible).
>>>>> 
>>>>> It doesn't look likely that we'll have time for additional
>>> presentations.
>>>>> I'd suggest continuing the discussion on the list.
>>>>> 
>>>>> Just for some context -- we found this kind of capability useful when I
>>>>> was at Yahoo! way back in 2010:
>>>>>  https://www.mnot.net/talks/pdf/Stupid_Web_Caching_Tricks.pdf#page=36
>>>>> 
>>>>> Cloudflare supports configuration to ignore the whole query string, as
>>>>> well as specific arguments in it:
>>>>>  https://developers.cloudflare.com/cache/how-to/cache-keys/
>>>>> 
>>>>> As does Fastly:
>>>>>  https://docs.fastly.com/en/guides/making-query-strings-agnostic
>>>>> 
>>>>> 
>>> https://www.fastly.com/documentation/solutions/examples/manipulate-query-string/
>>>>> 
>>>>> As does Akamai (apparently, based upon the information available):
>>>>> 
>>>>> 
>>> https://community.akamai.com/customers/s/article/Remove-query-strings-from-forward-request-and-cache-key?language=en_US
>>>>> 
>>>>> I know Varnish supports this as well; I've done it with Squid (using a
>>>>> helper) too. Not sure about eg nginx or Apache httpd.
>>>>> 
>>>>> So I suspect it's safe to say there's interest in this general feature
>>>>> from people who use HTTP caches.
>>>>> 
>>>>> The difference here is the control mechanism to invoke that behaviour
>>> --
>>>>> putting it in a response header is really nice because it's a)
>>>>> standardised, so (eventually) interoperable across implementations,
>>> and b)
>>>>> driven by the resource on the origin server, who has the most
>>> information
>>>>> about the URL's semantics (rather than relying on out-of-band
>>>>> configuration).
>>>>> 
>>>>> However, when a cache has multiple stored responses and they have
>>>>> conflicting information about the cache key, we need to be careful
>>> about
>>>>> specifying the interaction. In a way, this is similar to Vary -- it
>>> faced a
>>>>> similar question, and the decisions made in its design made
>>> implementation
>>>>> difficult. We chose a different approach in Key and Variants to address
>>>>> that; we should probably have a similar discussion here.
>>>>> 
>>>>> Cheers,
>>>>> 
>>>>> 
>>>>> --
>>>>> Mark Nottingham   https://www.mnot.net/
>>>>> 
>>>>> 
>>> 
> 

--
Mark Nottingham   https://www.mnot.net/

v2.34.0 | Report a Bug | By Email | System Status