W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: site-wide headers

From: Willy Tarreau <w@1wt.eu>
Date: Sat, 1 Oct 2016 08:12:55 +0200
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20161001061255.GA31660@1wt.eu>
Hi Martin,

On Wed, Sep 28, 2016 at 09:00:05PM +1000, Martin Thomson wrote:
> (https://tools.ietf.org/html/draft-nottingham-site-wide-headers-00)
> 
> I like this approach because it is more obviously composable into an
> existing system at the consuming end.  I especially like that the
> format is without opinion about its contents.  That makes it quite
> powerful.
> 
> I dislike this approach (in contrast to the JSON-based
> origin-policy[1]) because it uses header fields.  Of course that makes
> it better suited to HTTP.

In fact that's what I find powerful here. I know *many* places where
these headers are set by the front reverse-proxy, simply because it
ensures that they're uniform across all the servers. But it also
happens that there are exceptions (eg: for static some servers or
certain unrelated applications). With this mechanism, there's almost
nothing to change in the way it works. The admin will just have to
add "HS" to the responses instead of adding all these header fields,
when the reverse-proxy notices that the client provided the valid SM
field. And it also ensures the proxy an simply remove HS: and replace
it with all appropriate headers when it comes from a server where it's
not appropriate at all (you know, some application developers like to
copy-paste when they don't know).

So in fact, it supports everything already supported today but the
smarter way. It's really nice in my opinion.

Cheers,
Willy
Received on Saturday, 1 October 2016 06:13:25 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 1 October 2016 06:13:27 UTC