W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: Retry safety of HTTP requests

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 23 Mar 2016 16:12:58 +1100
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <A84B23F9-4256-4860-87AB-68E031626322@mnot.net>
To: Subodh Iyengar <subodh@fb.com>

> On 23 Mar 2016, at 1:33 PM, Subodh Iyengar <subodh@fb.com> wrote:
> 
> @Mike Bishop there are some proposals for 0-RTT to include the client timestamp in the client nonce to limit the retryability of 0-RTT which are still being discussed on the TLS mailing lists. This is still an open question.
> 
> > If we’re talking about a pattern of DELETE, PUT, GET, the fact that every separate action is idempotent doesn’t save us from a replay of the DELETE after the PUT
> 
> That's an excellent point, and probably something the application can only determine to be safe. Ideally if an application determines an action to be safe (with a new flag) then it should be safe to retry the same request 5 months from now, although browsers should do a best effort not to do that and TLS 1.3 should also limit the time of 0-RTT to something reasonable.

Yes. 6.3.1 says: "For example, a user agent that knows (through design or configuration) that a POST request to a given resource is safe can repeat that request automatically."

The challenge is how to give the UA that knowledge; it sounds more like a Fetch <https://fetch.spec.whatwg.org> flag (and maybe corresponding API in XHR, HTML forms, etc.) than something here.

It's even harder for a sequence of requests; that really is application-specific.

Cheers,


--
Mark Nottingham   https://www.mnot.net/
Received on Wednesday, 23 March 2016 05:13:29 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 23 March 2016 05:13:33 UTC