Re: Last Call: <draft-ietf-httpbis-h2-websockets-05.txt> (Bootstrapping WebSockets with HTTP/2) to Proposed Standard
Patrick McManus <pmcmanus@mozilla.com> Fri, 01 June 2018 21:15 UTC
Return-Path: <pmcmanus@mozilla.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2AD112E040 for <ietf@ietfa.amsl.com>; Fri, 1 Jun 2018 14:15:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.213
X-Spam-Level:
X-Spam-Status: No, score=-0.213 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3BkUW_wF7Yao for <ietf@ietfa.amsl.com>; Fri, 1 Jun 2018 14:15:07 -0700 (PDT)
Received: from linode64.ducksong.com (www.ducksong.com [192.155.95.102]) by ietfa.amsl.com (Postfix) with ESMTP id 563F312E86A for <ietf@ietf.org>; Fri, 1 Jun 2018 14:15:07 -0700 (PDT)
Received: from mail-oi0-f52.google.com (mail-oi0-f52.google.com [209.85.218.52]) by linode64.ducksong.com (Postfix) with ESMTPSA id 898ED3A05C for <ietf@ietf.org>; Fri, 1 Jun 2018 17:15:06 -0400 (EDT)
Received: by mail-oi0-f52.google.com with SMTP id k190-v6so6091152oib.9 for <ietf@ietf.org>; Fri, 01 Jun 2018 14:15:06 -0700 (PDT)
X-Gm-Message-State: APt69E32eMyLxbBSOr6fr5TDXMHqReK3kkanWEDRPwSSiCO8owDEWweA Sn87aVG3iR1T6/ZQKLGS8htKafpxaDjjuYpbLOk=
X-Received: by 2002:a54:4e8a:: with SMTP id c10-v6mt7285555oiy.155.1527887706223; Fri, 01 Jun 2018 14:15:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:8a32:0:0:0:0:0 with HTTP; Fri, 1 Jun 2018 14:15:05 -0700 (PDT)
In-Reply-To: <CAOdDvNrg_nZ9V7=84WJ4+cUUrn=zrbDQJNHkzGshGUQK=2LnNA@mail.gmail.com>
References: <152571506326.1248.9549427214276435596.idtracker@ietfa.amsl.com> <5713cb7d-31a3-e8d7-5428-247e42fcd5fa@gmx.de> <CAOdDvNrg_nZ9V7=84WJ4+cUUrn=zrbDQJNHkzGshGUQK=2LnNA@mail.gmail.com>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Fri, 01 Jun 2018 17:15:05 -0400
X-Gmail-Original-Message-ID: <CAOdDvNoxr-64duuBkOmb83DZCAu14fZfNNh17zSg4z=-S_0DNg@mail.gmail.com>
Message-ID: <CAOdDvNoxr-64duuBkOmb83DZCAu14fZfNNh17zSg4z=-S_0DNg@mail.gmail.com>
Subject: Re: Last Call: <draft-ietf-httpbis-h2-websockets-05.txt> (Bootstrapping WebSockets with HTTP/2) to Proposed Standard
Cc: Julian Reschke <julian.reschke@gmx.de>, IETF Discussion Mailing List <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fca3fe056d9b13c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/kFUJGOnJ8AJ_sUVnHKLR7c0FlhE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2018 21:15:10 -0000
Hi Julian, I apologize this got a little bit forgotten. I will issue a new draft with the last call comments included. On Fri, May 11, 2018 at 6:31 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > > The terminology "HTTP/2 CONNECT method" is a bit confusing, as it make it > sound as if there are HTTP methods specific to a protocol version. > > Maybe "the HTTP CONNECT method (as specified for HTTP/2 in Section 8.7 of > [RFC7540])"? > > sure. > 4. The Extended CONNECT Method > > ... > > o A new pseudo-header :protocol MAY be included on request HEADERS > indicating the desired protocol to be spoken on the tunnel created > by CONNECT. The pseudo-header is single valued and contains a > value from the HTTP Upgrade Token Registry defined by [RFC7230]. > > I believe it would be good to add a short explanation why it is ok to > defined a new pseudo header field despite this not being an HTTP/2 > extension point. > > I realize that using the SETTINGS mechanism one can make incompatible > changes (and this should be mentioned here), but I'm still unconfortable > with the consequences, for instance: what if a different extension wants to > define the same pseudo header field with different semantics? > > The latest iteration of that discussion is here: https://www.ietf.org/mail- archive/web/secdir/current/msg08134.html .. the wg also considered the question. It is an interesting question for everyone reviewing the documents, but I don't really think its a very interesting question for someone implementing this protocol. The general question of semantic conflict is something the WG has to handle for all proposed extensions (and registries are never going to cover the full semantic set of potential conflicts.. I would argue that the change in interpretation of :authority is more significant than a new header value) - nothing particular about this one. Maybe we should consider a general document on the topic. Based on these comments I added a bit more detail to the existing discussion in section 3: The use of a SETTINGS Parameter to opt-in to an otherwise incompatible protocol change is a use of "Extending HTTP/2" defined by Section 5.5 of [RFC7540]. Specifically, the addition a new pseudo-header ":protocol" and the change in meaning of the ":authority" pseudo-header in Section 4 require opt-in negotiation. > > 8. Security Considerations > > [RFC6455] ensures that non-WebSockets clients, especially > XMLHttpRequest based clients, cannot make a WebSocket connection. > Its primary mechanism for doing that is the use of Sec- prefixed > request headers that cannot be created by XMLHttpRequest-based > clients. This specification addresses that concern in two ways: > > o The CONNECT method is prohibited from being used by XMLHttpRequest > > Clarify that XMLHTTPRequest defines this. > ok > o The use of a pseudo-header is something that is connection > specific and HTTP/2 does not ever allow to be created outside of > the protocol stack. > > It doesn't? Where? (I agree it would be bad but does the spec really > prohibit it???) > > "pseudo-header fields are not http header fields" in 7540.. as http header fields are semantically part of the api, that's something you need to worry about being generated outside the stack and gatewayed. but not in this case. > > > - move first citation of RFC7230 up to first paragraph > > ok - potentially make the citation for Upgrade more specific (6.7) > > ok > > 4. The Extended CONNECT Method > > ... > > o A new pseudo-header :protocol MAY be included on request HEADERS > indicating the desired protocol to be spoken on the tunnel created > by CONNECT. The pseudo-header is single valued and contains a > value from the HTTP Upgrade Token Registry defined by [RFC7230]. > > It would probably better to refer to the registry instead (< > https://www.iana.org/assignments/http-upgrade-tokens/http- > upgrade-tokens.xhtml>). > > > ok > 5. Using Extended CONNECT To Bootstrap The WebSocket Protocol > > s/The/the/ > > ok ... > > The scheme of the Target URI [RFC7230] MUST be "https" for "wss" > schemed WebSockets and "http" for "ws" schemed WebSockets. The > websocket URI is still used for proxy autoconfiguration. > > Maybe cite Section 5.1 of RFC 7230 specifically. > > ok > ... > > The Sec-WebSocket-Version, Origin [RFC6454], Sec-WebSocket-Protocol, > and Sec-WebSocket-Extensions headers are used on the CONNECT request > and response headers in the same way as defined in [RFC6455]. Note > that HTTP/1 header names were case-insensitive and HTTP/2 requires > they be encoded as lower case. > > ...sort the field names so that "Origin" is at the start or the end. > > ok > ... > > After successfully processing the opening handshake, the peers should > proceed with The WebSocket Protocol [RFC6455] using the HTTP/2 stream > > s/The/the/ > > ok > ... > > 5.1. Example > > (Example still is too wide for the old RFC format) > > I'm going to let the rfc editor help with the whitespace issues here. > > 6. Design Considerations > > (maybe move to an appendix?) > > Kinda meh here - and hearing no other comments will leave alone > > Best regards, Julian > > >
- Re: Last Call: <draft-ietf-httpbis-h2-websockets-… Julian Reschke
- Re: Last Call: <draft-ietf-httpbis-h2-websockets-… Patrick McManus
- Re: Last Call: <draft-ietf-httpbis-h2-websockets-… Julian Reschke