- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 10 Dec 2013 10:07:42 -0800
- To: Dan Winship <dan.winship@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 10 December 2013 02:05, Dan Winship <dan.winship@gmail.com> wrote: > So it has to send its settings twice? (Or else send a pointless empty > SETTINGS frame the second time?) Yep. Pros and cons considered (at some length) this is what we came up with. > But is it really important that the client has the ability to provide > settings prior to receiving any frames from the server, given that the > server doesn't have the chance to do the same (and the server probably cares > more about not having clients spam it than the client cares about not having > the server spam it...)? It's less a matter of importance, and more one of pragmatism. Servers already deal with this stuff. And it's not an unbounded attack; there's a default maximum on the receive window at both the TCP and HTTP/2.0 connection layers. We could protect the server further, sure. Proposals have been made <http://tools.ietf.org/html/draft-montenegro-httpbis-http2-server-profiles>, <https://github.com/http2/http2-spec/issues/184>, but after some fairly lengthy discussions, they aren't moving (though the issue isn't closed either).
Received on Tuesday, 10 December 2013 18:08:10 UTC