W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2017

RE: Working Group Last Call The ORIGIN HTTP/2 Frame

From: Lucas Pardue <Lucas.Pardue@bbc.co.uk>
Date: Mon, 2 Oct 2017 23:04:59 +0000
To: Mark Nottingham <mnot@mnot.net>, Martin Thomson <martin.thomson@gmail.com>
CC: Patrick McManus <pmcmanus@mozilla.com>, Mike Bishop <Michael.Bishop@microsoft.com>, Bence Bky <bnc@chromium.org>, HTTP Working Group <ietf-http-wg@w3.org>, Erik Nygren <erik@nygren.org>
Message-ID: <7CF7F94CB496BF4FAB1676F375F9666A3778EBA9@bgb01xud1012>
To track back to that, Nick suggested a new frame called ORIGIN_SUPPORT but reading between the lines this could be a setting like SETTINGS_ENABLE_PUSH. I don't have a strong opinion and don't have a full handle on the concerns raised about a server-sent setting.

I'm not sure if Nick was suggesting such a thing could be set on connection initiation only, or if it could be changed during runtime.

The latest draft added a security consideration for the unbounded origin set, perhaps a client-sent SETTINGS_MAX_ORIGIN_SET_SIZE could be used to provide two functions - bound the origin set size, or disable origin altogether (size 0). Exceeding such a boundary violation would result in a connection error of type ORIGIN_SET_SIZE_EXCEEDED. So even if a server can't control itself, at least it is given fair indication as to why clients are closing connections.

Lucas
________________________________________
From: Mark Nottingham [mnot@mnot.net]
Sent: 02 October 2017 22:53
To: Martin Thomson
Cc: Patrick McManus; Mike Bishop; Bence Bky; HTTP Working Group; Erik Nygren
Subject: Re: Working Group Last Call The ORIGIN HTTP/2 Frame

... and to be clear, the PR was about a server-sent SETTING; does anyone have feedback about Nick's idea regarding a client-sent SETTING?


> On 1 Oct 2017, at 9:12 am, Mark Nottingham <mnot@mnot.net> wrote:
>
> I'm not hearing wild enthusiasm for this, so I'm going to drop the PR.
>
> Cheers,
>
>
>> On 27 Sep 2017, at 7:23 pm, Mark Nottingham <mnot@mnot.net> wrote:
>>
>> I'm OK either way here; it's attractive to have a deadline for knowing whether the connection is under the ORIGIN model (first SETTINGS), but I'm also a bit nervous about introducing such a big change relatively late in the day.
>>
>> Put another way - does anyone think that this is clearly better than the current spec and needs to get in?
>>
>> PR here (still needs some work if we want to adopt):
>> https://github.com/httpwg/http-extensions/pull/406
>>
>>
>>> On 28 Sep 2017, at 11:48 am, Martin Thomson <martin.thomson@gmail.com> wrote:
>>>
>>> On Thu, Sep 28, 2017 at 11:43 AM, Patrick McManus <pmcmanus@mozilla.com> wrote:
>>>> I'm not going to object to the setting - it just seems it doesn't really
>>>> address the fact that the client is going to see both 7540 rules and ORIGIN
>>>> rules at some point on the same connection so there's not a lot of point to
>>>> it imo.
>>>
>>> I see your point.  It narrows, but doesn't eliminate the window of
>>> uncertainty and as a result it isn't that much use to you.
>>
>> --
>> Mark Nottingham   https://www.mnot.net/
>>
>>
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>

--
Mark Nottingham   https://www.mnot.net/




-----------------------------
http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
immediately.
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
this.
-----------------------------
Received on Monday, 2 October 2017 23:05:31 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 November 2017 00:14:13 UTC