Issue #356: Form-encode Expect-CT report bodies?
Emily Stark <estark@google.com> Tue, 06 June 2017 16:50 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8566B12025C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 6 Jun 2017 09:50:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.501
X-Spam-Level:
X-Spam-Status: No, score=-6.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id At7FBS-MZrJj for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 6 Jun 2017 09:50:00 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FCA2126DCA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 6 Jun 2017 09:50:00 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.84_2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1dIHcy-0002e6-Ng for ietf-http-wg-dist@listhub.w3.org; Tue, 06 Jun 2017 16:46:44 +0000
Resent-Date: Tue, 06 Jun 2017 16:46:44 +0000
Resent-Message-Id: <E1dIHcy-0002e6-Ng@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <estark@google.com>) id 1dIHcq-0002dB-EJ for ietf-http-wg@listhub.w3.org; Tue, 06 Jun 2017 16:46:36 +0000
Received: from mail-ot0-f180.google.com ([74.125.82.180]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <estark@google.com>) id 1dIHcj-0001Je-Rd for ietf-http-wg@w3.org; Tue, 06 Jun 2017 16:46:31 +0000
Received: by mail-ot0-f180.google.com with SMTP id t31so18870165ota.1 for <ietf-http-wg@w3.org>; Tue, 06 Jun 2017 09:46:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=RQoLTKmxuQUTeYwgylIut/U3DmNTP9zi8b0KGaT/O5Y=; b=G5mOrMaJvxpZmJLE6G+pGkomfuNZSuI6wPdECaGSoSdjNFdlx0m2GSezHyKmcuN2bl v9lZnVa7OmeCWDtGE1J+x3fl0vHJQps5dpjY3U+HooXTKxWCEtskaOBL3vpmkCJrpwvA JUo6HmqS57mNxhGiPNqsB78rvX10PVCwUfLrGEV7npCZAA1cDLIWHOstBU5zk5wlChm4 mtagqHs8KGE2M6cyk8kE577tmsVqGUvc0FJoPo1s54tJgGx+soMQoePFFvlrO8a+9C1G AUGcaDKJsvjJLdE8zBsccSCGRtmtQfZw35PxUEPgmmtyutNuyqqe/Jpk+VMf1ThMhatU t/hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=RQoLTKmxuQUTeYwgylIut/U3DmNTP9zi8b0KGaT/O5Y=; b=nrTh2peNwkQ0b6cpEiew7g+p8pXBoOnrQGeUdVDLAWWTZy5OmupN7ysDCv4TSkyO5e bphdmPxY51EjoBG/sX1ZFMqMeC9yyeyZ9mazE72Iu6BVASSYgZQ6A/c0oPAo9DSKsK5F cTseuuH2/p7fNw411ghv4HFfdTIqe5Ao5n/r8myf0J8PjnTEmTGI/8HzyV7/BXc3izM1 co8pb8JFxRhn8RkJiuT/MfcmE2XPbAvmS4V1Q5pqLqUrhLbALA9ZbMMERjlOdgAe9War sdeLPwpLsKb1Phplm4dXnbSyMulTETAkZBm96LxJYdnNBOi8ZqwBa25/4GQvVVIqnKEA GWSg==
X-Gm-Message-State: AKS2vOw/kPNkOpBfxqw1YmR81blkgr3S2DMU8IDS12uaK5l1yzIHqZC9 gmgh2zSOyOvxoi6G1dU3g3moTKAXSuIIPs9Ssg==
X-Received: by 10.157.15.149 with SMTP id d21mr13525589otd.227.1496767563070; Tue, 06 Jun 2017 09:46:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.66.86 with HTTP; Tue, 6 Jun 2017 09:45:42 -0700 (PDT)
From: Emily Stark <estark@google.com>
Date: Tue, 06 Jun 2017 09:45:42 -0700
Message-ID: <CAPP_2Sa+6eSAChgp8KrzabPJUkMmiKBhWp1dFhS0zOVnXrenLw@mail.gmail.com>
To: httpbis <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a113e568ee8cf0f05514d5a50"
Received-SPF: pass client-ip=74.125.82.180; envelope-from=estark@google.com; helo=mail-ot0-f180.google.com
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1dIHcj-0001Je-Rd 83094658efe99dceb7d815463c2f7cd7
X-Original-To: ietf-http-wg@w3.org
Subject: Issue #356: Form-encode Expect-CT report bodies?
Archived-At: <http://www.w3.org/mid/CAPP_2Sa+6eSAChgp8KrzabPJUkMmiKBhWp1dFhS0zOVnXrenLw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33963
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
I'm looking for some feedback on https://github.com/httpwg/ http-extensions/issues/356. Expect-CT violation reports are currently specified as POST requests with JSON bodies. When implemented in a web browser, such reports should arguably send CORS preflights, because the content type is not CORS-safelisted (https://www.w3.org/TR/cors/#simple-header). But sending CORS preflights for these requests doesn't really make sense from a web browser architecture perspective: CT compliance is checked as part of certificate verification and connection setup, divorced from the context one needs to send a CORS preflight (such as an Origin header). This is not just a theoretical layering issue; implementing preflights for Expect-CT reports in Chrome would be pretty challenging. I only see two options to resolve this, both of which seem bad to me: a) Leave the reporting part of the spec as it currently is, and leave it up to the UA to decide whether further operations such as CORS preflights are needed for sending reports. This would basically leave it to us in Chrome to decide either that Expect-CT reports should not be subject to CORS restrictions, or that we should not ship reporting. (I'm uncomfortable with this option because it somewhat jeopardizes the only active implementation effort that I know of.) b) The disgusting option: disguise Expect-CT reports as form submissions, which are not subject to CORS preflighting. This would mean the report body is sent as hostname=blah&port=443&... or we could even just send expect-ct-report=<stringified JSON blob>. Thanks, Emily
- Issue #356: Form-encode Expect-CT report bodies? Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Patrick McManus
- Re: Issue #356: Form-encode Expect-CT report bodi… Martin Thomson
- Re: Issue #356: Form-encode Expect-CT report bodi… Patrick McManus
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Martin Thomson
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Martin Thomson
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Martin Thomson
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Martin Thomson
- Re: Issue #356: Form-encode Expect-CT report bodi… Patrick McManus
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Anne van Kesteren