- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Fri, 05 Aug 2016 08:01:52 +0000
- To: Cory Benfield <cory@lukasa.co.uk>
- cc: HTTP Working Group <ietf-http-wg@w3.org>
-------- In message <63CCB07A-0204-4CF7-B598-9497D7112021@lukasa.co.uk>, Cory Benfield writes: >Brad Fitzpatrick and I ended up prototyping a sample approach for >getting this information out of server implementations, based on issuing >a GET request to a specific well-known URI. This GET would return a JSON >document [...] >https://http2.golang.org/.well-known/h2interop/state and >https://shootout.lukasa.co.uk/.well-known/h2interop/state. >draft here: >https://tools.ietf.org/html/draft-benfield-http2-debug-state-00 As I said in the workshop, this has security considerations. A lot of people tend to forget that client side proxies exist in H2. They may not be popular, they may not be COTS (yet), but nanny-proxies are not going to go away when they are mandated by law in an increasing number of contexts. For security reasons we cannot allow this well-known-URL to be fetched through a shared client-side proxy. Exporting the HPACK header table gives you the other clients cookies etc, and even exporting the streams table would probably leak more info than acceptable. Short of a dedicated H2 frame to get this, I don't know of any method which can enforce this being used only hop-to-hop, which is the only way it can be used safely. So at the very least this needs to be firmly turned off by default and have a major warning posted on the enabling button. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 5 August 2016 08:04:35 UTC