- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 4 Apr 2014 13:41:21 -0700
- To: K.Morgan@iaea.org
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 4 April 2014 13:36, <K.Morgan@iaea.org> wrote: > If there are specific security issues related to gzip then they apply equally to C-E gzip (which is implicitly required for clients to support already). As we mentioned below, one of the benefits of using TE/Transfer-Encoding over a framing layer transfer coding mechanism is that the decision to TE compress can be made at the same level as deciding to CE compress. This is not correct. An origin server applies Content-Encoding. Transfer-Encoding is hop-by-hop. As I pointed out previously, the entities applying T-E are likely to lack the contextual information required to make the right decisions regarding safe use of compression.
Received on Friday, 4 April 2014 20:41:49 UTC