IETF Logo Mail Archive

Re: [hybi] Comments about draft-13

Bjoern Hoehrmann <derhoermi@gmx.net> Wed, 07 September 2011 01:43 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0F8521F8E31 for <hybi@ietfa.amsl.com>; Tue, 6 Sep 2011 18:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.866
X-Spam-Level:
X-Spam-Status: No, score=-3.866 tagged_above=-999 required=5 tests=[AWL=-1.267, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HyIQt-pt-X9n for <hybi@ietfa.amsl.com>; Tue, 6 Sep 2011 18:43:50 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 0744621F8E27 for <hybi@ietf.org>; Tue, 6 Sep 2011 18:43:48 -0700 (PDT)
Received: (qmail invoked by alias); 07 Sep 2011 01:45:34 -0000
Received: from dslb-094-222-137-018.pools.arcor-ip.net (EHLO HIVE) [94.222.137.18] by mail.gmx.net (mp067) with SMTP; 07 Sep 2011 03:45:34 +0200
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX1/UsL1RNXLUjA8aLWJ/UT5SwjZt8h7/yoXr0+pkEx OTcpiurQJaevIE
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Date: Wed, 07 Sep 2011 03:45:42 +0200
Message-ID: <f1id67156por0t8jdbgd8gg6hdur55fad3@hive.bjoern.hoehrmann.de>
References: <CALiegfkUMDfuRC+16ZcLo__2OqAcQ1UVDGa_610ykEAe6yZViw@mail.gmail.com> <CALiegf=wO6w5UMLO-hsn8o0cX3__SuxMDrgqvScuS6QWdNhptw@mail.gmail.com> <A59BAA80-CD38-48C4-A113-C1493072D079@bbn.com> <4E669025.8080804@isode.com> <F9EE9C7A-79FB-44E3-9114-0965D74C5E58@bbn.com>
In-Reply-To: <F9EE9C7A-79FB-44E3-9114-0965D74C5E58@bbn.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: hybi@ietf.org
Subject: Re: [hybi] Comments about draft-13
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 01:43:50 -0000

* Richard L. Barnes wrote:
>I wouldn't have a problem with this had W3C not assigned a semantic to
>the field name:
>"
>[Do not allow a script to set a header] if /header/ is a case-insensitive
>match for one of the following headers [...] or if the start of /header/
>is a case-insensitive match for Proxy- or Sec- (including when header is
>just Proxy- or Sec-).
>"
><http://www.w3.org/TR/XMLHttpRequest/>

This is an incorrect reading of the XMLHttpRequest proposal. The idea is
that those header values must be controlled by the entity that puts the
bits on the wire, not the caller of XMLHttpRequest methods. It could say
just aswell that when the XMLHttpRequest caller sets the Content-Length
header, the implementation must override or remove the value when making
the request, as would be appropriate for the request. "A script" can of
course control the value of the header by sending so and so many bytes
(provided the length is indicated by the browser using the header). And
that is just XMLHttpRequest anyway, not the Websocket API.

Turning this around, you are saying that XMLHttpRequest callers should
be able to set the Websocket header on ordinary HTTP requests despite
them having no meaning there. Back in the day I argued to explain this
in the terms above, and the proposal does say "Note: The above headers
are controlled by the user agent to let it control those aspects of
transport. This guarantees data integrity to some extent. Header names
starting with Sec- are not allowed to be set to allow new headers to be
minted that are guaranteed not to come from XMLHttpRequest." at least.

"A script" is different from "not from XMLHttpRequest", so I am unclear
on where the confusion comes from. That it is XMLHttpRequest that makes
such conventions is a problem; I expect that the httpbis Working Group
<http://lists.w3.org/Archives/Public/ietf-http-wg/2011JanMar/0160.html>
where I raised it will resolve this in one form or another eventually.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email