- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Mon, 07 Jul 2014 21:16:15 +0000
- To: Johnny Graettinger <jgraettinger@chromium.org>
- cc: Mike Bishop <Michael.Bishop@microsoft.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
In message <CAEn92Toz_AHHJfnqubi9-FvJThO+dshFQiTG6FvSAcpSRem16A@mail.gmail.com>, Johnny Graetting er writes: >> >Agreed. The concept of pre-announcing request and response header limits >> >seems... messy to me. I don't know what it means if I have a request who's >> >header size is larger than the limit. >> >> It means you might as well not send it, the best you can hope for is >> a 413, at worst, it will kill the connection. > >Right. Assuming I've already done the best I can with compression, this >outcome is functionally no different than actually sending the request, and >getting a 413 or closed connection. If I send the request, at least I've >given the server visibility into the failure. I thought about server visibility along these lines: In the case where the server is producing the basis for subsequent requests (ie: links on a web-page), It is reasonable to expect the web-designer to either theoretically or through tests confirm that the links pass muster. In the likely case where he merely launches his browser and clicks away, it doesn't matter if the browser or the server tells him "413", as long as the browser shows them. If he doesn't give this issue any thought at all and doesn't test it either, he fails the "you must be this smart to be a web-designer test" and we have no obligation to waste time on him, in particular not if he got in this situation by exceeding the default 16KB HEADERS limit. In the other case, for instance where the client composes requests based on some written API manual, I think the risk of huge HEADERS is much more likely, but here again it doesn't matter who produces the 413, the right person still receives it. So I fail to see server visibility as important. >So, having a maximum header size setting isn't useful to the client [...] Not in all cases, but it does for instances it tell the client that they can get their kerberos tickets through. And it does help in shaving DoS attaks. A server can advertise a SETTINGS which is narrowly tuned to allow all legitimate requests. Any client disrespecting this with intent to DoS will declare it's intention in the first four bytes of the HEADERS frame and the server will instantly know, without opening the time/space window from the valid sizes to the current drafts "unlimited" to abuse. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 7 July 2014 21:16:40 UTC