Re: Frame Length Restrictions from Martin Thomson on 2014-04-22 (ietf-http-wg@w3.org from April to June 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 21 Apr 2014 17:10:44 -0700
To: Jeff Pinner <jpinner@twitter.com>
Cc: Johnny Graettinger <jgraettinger@chromium.org>, Patrick McManus <mcmanus@ducksong.com>, K.Morgan@iaea.org, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnU+3+o8D92rAsefzbUy81+vEN-Gz1LSfrdkr4b=A2ArrA@mail.gmail.com>

On 21 April 2014 17:01, Jeff Pinner <jpinner@twitter.com> wrote:
> My assumption here, is similar to BREACH, user input can be reflected in
> HTTP response bodies, which the upstream servers naively split into 16K data
> frames using whatever HTTP/2 library they have chosen.

Presumably you could take those 16K frames and split them into 16K-9
frames before adding padding.  You could even ask the upstream servers
not to produce 16K frames.  You could even ask the upstream servers to
pad properly.

Received on Tuesday, 22 April 2014 00:11:12 UTC