IETF Logo Mail Archive

Re: Last Call: <draft-nottingham-safe-hint-05.txt> (The "safe" HTTP Preference) to Proposed Standard

Matthew Kerwin <matthew@kerwin.net.au> Tue, 28 October 2014 03:19 UTC

Return-Path: <phluid61@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1BD91A8723 for <ietf@ietfa.amsl.com>; Mon, 27 Oct 2014 20:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.427
X-Spam-Level:
X-Spam-Status: No, score=-0.427 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2JY0bxm8_nm for <ietf@ietfa.amsl.com>; Mon, 27 Oct 2014 20:19:12 -0700 (PDT)
Received: from mail-qg0-x22a.google.com (mail-qg0-x22a.google.com [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 449111A802C for <ietf@ietf.org>; Mon, 27 Oct 2014 20:19:12 -0700 (PDT)
Received: by mail-qg0-f42.google.com with SMTP id z60so5090786qgd.15 for <ietf@ietf.org>; Mon, 27 Oct 2014 20:19:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=F9iXtDPVIbMuQectFqKlI5K1HD2ETppFjgGLf10wQjA=; b=BsZ28gZc9H3wY0q2g/kcdxGeGJmgnNZHbDJuRIReR3MygifFvt/Zd0B8Aub6F+JTpJ R/kalezs6UAfxLzbMmDTh7ezoRwGYYYMkTzZlRrp99S+4vLpRt59mnpGDxv3C5Dmosjm 5tATFkiWCglAx4nBpf8ahAI7esJ9bYf6+GZjlLlvyxxlhREevQF6+jsF/eb4TEoY6Dmu lwnBU6zCDM3eYnKywUP6FKTyaM0YPFA9clkumhsOvxJR4xYrEUty6azBSbv9bR0O+cts 1Fj/rN50OVjokeIOj6Kfce800p8NCJtFHObkJOuh531TBfplhndIGTNhMTA7MEaPPGdC GbSQ==
MIME-Version: 1.0
X-Received: by 10.224.23.67 with SMTP id q3mr781168qab.92.1414466351485; Mon, 27 Oct 2014 20:19:11 -0700 (PDT)
Sender: phluid61@gmail.com
Received: by 10.140.29.132 with HTTP; Mon, 27 Oct 2014 20:19:11 -0700 (PDT)
In-Reply-To: <544EFDA5.9000408@dcrocker.net>
References: <20141028004920.51745.qmail@ary.lan> <544EF0A4.7090609@gmail.com> <544EFBC2.5070402@dcrocker.net> <CACweHNBUsJxkey8HzR5wg7O3E1PEu0FwghMwxO2zQhF4+2yaOA@mail.gmail.com> <544EFDA5.9000408@dcrocker.net>
Date: Tue, 28 Oct 2014 13:19:11 +1000
X-Google-Sender-Auth: jpgLa-Sw1_qVB52HrmJ3h7PfZ7o
Message-ID: <CACweHNDGkg6eNvOYqid1QEd8jPkzVDFEu=B3cS-Qf4D0GJqy-g@mail.gmail.com>
Subject: Re: Last Call: <draft-nottingham-safe-hint-05.txt> (The "safe" HTTP Preference) to Proposed Standard
From: Matthew Kerwin <matthew@kerwin.net.au>
To: Dave Crocker <dcrocker@bbiw.net>
Content-Type: multipart/alternative; boundary="001a11c2d2566d59080506731cd7"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/4Sf_3PKSdl3OkceMXH4ncXzdlhM
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 03:19:14 -0000

On 28 October 2014 12:21, Dave Crocker <dhc@dcrocker.net> wrote:

> On 10/27/2014 7:19 PM, Matthew Kerwin wrote:
> >     So there is no model for communicating back to the browser that
> content
> >     is safe or not, nevermind for communicating up to the user.
> >
> >
> > Actually, there's Preference-Applied. I don't recall seeing that
> > forbidden by this draft, and it's a "MAY send" in RFC 7240. That said,
> > it would still be a bit silly for a browser to add UI to advertise the
> > presence of the header.
>
>
> Forgive me, but:  THAT HAS NOTHING TO DO WITH THIS DRAFT.
>
> My comments concerned only this draft.
>
>
​It's a normative reference. While I support the draft, I'm still willing
to play​ devil's advocate here. Brian has managed to point out that, today,
there's no metadata or side-channel communication from server to browser
that suggests that the content is in anyway "safe", but by standardising
Prefer:safe, we introduce Preference-Applied:safe, which allows servers to
"lie" in metadata as well as in data.

Whether or how much of a lie it is depends on the interpretation of
Preference-Applied:safe

As I said earlier, I don't believe it's an issue, but it's still a new
thing, introduced by this draft. It's right for us to address it, even if
just to say it's not an issue.

-- 
  Matthew Kerwin
  http://matthew.kerwin.net.au/

v2.23.0 | Report a Bug | By Email