W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: Informal Last Call for HTTP Preference Header

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 31 Jan 2012 14:42:41 -0800
Message-ID: <CABkgnnXDMMy3CtVwfxQVrw-qd8zGfYxNWYsOy_=kGyLXVpKwoQ@mail.gmail.com>
To: James Snell <jasnell@gmail.com>
Cc: ietf-http-wg@w3.org
I have only one real problem with the document as it stands.

Though the document requires that new preferences describe security
considerations, security considerations for the preferences included
are non-existent.  At a minimum, something needs to be said about the
security properties of the included preferences.

I suspect that the story is, in general:

A server could incur greater costs in attempting to comply with a
particular preference (for instance, the cost of providing a
representation in a response that would not ordinarily contain one; or
the commitment of resources necessary to track state for an
asynchronous response).  Unconditional compliance from a server could
allow the use of preferences for denial of service.  A server can
ignore an expressed preference to avoid expending resources that it
does not wish to commit.

--Martin

On 31 January 2012 13:28, James Snell <jasnell@gmail.com> wrote:
> I just posted an update for the HTTP Prefer Header altering the
> intended status from "Informational" to "Standards Track". No
> additional changes were made. As I have not received any further
> technical input on the specification, I am issuing an *Informal* Last
> Call for comments before I request that it be kicked up the chain for
> review.
>
> Mark Nottingham has agreed to serve as the document shepherd for
> helping to move it forward.
>
> Current Draft: http://www.ietf.org/id/draft-snell-http-prefer-11.txt
>
> - James
>
Received on Tuesday, 31 January 2012 22:43:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:54 GMT