[Errata Held for Document Update] RFC9204 (7277)
RFC Errata System <rfc-editor@rfc-editor.org> Tue, 30 January 2024 14:27 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0719C1CAF68; Tue, 30 Jan 2024 06:27:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.658
X-Spam-Level:
X-Spam-Status: No, score=-1.658 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id komThNavf5MQ; Tue, 30 Jan 2024 06:27:48 -0800 (PST)
Received: from rfcpa.amsl.com (rfcpa.amsl.com [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB7A6C1CAF5C; Tue, 30 Jan 2024 06:27:48 -0800 (PST)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 7C91C1A3A476; Tue, 30 Jan 2024 06:27:48 -0800 (PST)
To: rory.hewitt@gmail.com, krasic@acm.org, mbishop@evequefou.be, afrind@fb.com
Subject: [Errata Held for Document Update] RFC9204 (7277)
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: francesca.palombini@ericsson.com, iesg@ietf.org, quic@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20240130142748.7C91C1A3A476@rfcpa.amsl.com>
Date: Tue, 30 Jan 2024 06:27:48 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/PU7WSHYoZW4uZRgm5nwHW7kZz3U>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 14:27:52 -0000
The following errata report has been held for document update for RFC9204, "QPACK: Field Compression for HTTP/3". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid7277 -------------------------------------- Status: Held for Document Update Type: Technical Reported by: Rory Hewitt <rory.hewitt@gmail.com> Date Reported: 2022-12-15 Held by: Francesca Palombini (IESG) Section: Appendix A Original Text ------------- In the static table, entry 73 has a value of: access-control-allow-credentials: TRUE and entry 74 has a value of: access-control-allow-credentials: FALSE Corrected Text -------------- Entry 73 should have a value of: access-control-allow-credentials: true (note the lower-case value of "true") and entry 74 should NOT EXIST since "FALSE" (in upper-case or lower-case) is not a valid value for this header. Notes ----- The "access-control-allow-credentials" header is a CORS header. It only has one allowed value - "true" (without quotes, MUST be in lower-case). Values of "TRUE", "FALSE" and "false" are all invalid values, as is any mixed-case version of "true". See the latest WHATWG spec at https://fetch.spec.whatwg.org/#cors-protocol-and-credentials which notes the required case-sensitivity of the "true" value and that it is the only valid value. Also see the prior W3C spec at https://www.w3.org/TR/2020/SPSD-cors-20200602/#access-control-allow-credentials-response-header which says the same thing. Note that the W3C spec was superseded by the WHATWG spec. Note that there are many instances of "access-control-allow-credentials: false" being returned from server responses (which is presumably why these values were added to the table), but they are invalid and the servers that send them are not following the CORS specification. There may be case to be made that the static table is defined to make the QPACK algorithm as performant as possible and therefore it should include not only commonly-used valid values, but also commonly-used invalid values. However, the static table should ideally contain only valid header values. -- Verifier notes See https://mailarchive.ietf.org/arch/msg/quic/tgmjRvHDPev-mjPQWEM_zqRn5LE/ -------------------------------------- RFC9204 (draft-ietf-quic-qpack-21) -------------------------------------- Title : QPACK: Field Compression for HTTP/3 Publication Date : June 2022 Author(s) : C. Krasic, M. Bishop, A. Frindell, Ed. Category : PROPOSED STANDARD Source : QUIC Area : Transport Stream : IETF Verifying Party : IESG
- [Errata Held for Document Update] RFC9204 (7277) RFC Errata System