Re: The HTTP Sec-From Header (draft-abarth-origin) from Mark Nottingham on 2009-09-01 (ietf-http-wg@w3.org from July to September 2009)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 1 Sep 2009 13:37:54 +1000
To: Adam Barth <w3c@adambarth.com>
Cc: Henrik Nordstrom <henrik@henriknordstrom.net>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
Message-Id: <C4639C11-5A22-470B-9479-AA4648DE7D89@mnot.net>

Adam,

One thing -- AIUI Sec-From is sent with *all* requests, including GET.  
Furthermore, servers will make security-related decisions about the  
response based upon it.

As such, won't servers need to set

   Vary: Sec-From

in responses to asure that caches will do the right thing? Otherwise,  
a cache could respond to a cross-site request with a stored response  
improperly.

The latent problem here, BTW, is that some deployed cache  
implementations don't like Vary headers with any value other than  
'Accept-Encoding', refusing to cache such responses. This means that  
Sec-From is going to negatively impact caching on the Web, potentially  
quite severely (i.e., some browser as well as intermediary caches  
won't work at all).

Cheers,

On 29/06/2009, at 9:12 AM, Adam Barth wrote:

> On Wed, Jun 24, 2009 at 10:55 PM, Adam Barth<w3c@adambarth.com> wrote:
>> On Wed, Jun 24, 2009 at 10:46 PM, Mark Nottingham<mnot@mnot.net>  
>> wrote:
>>> Do you have a spec for sec-from?
>>
>> http://tools.ietf.org/html/draft-abarth-origin-01
>>
>> This draft addresses the technical feedback I have receive on the -00
>> version of the draft.  As I said in the previous email, I'm going to
>> try to reply to all the outstanding emails in the next couple of  
>> days.
>
> Turns out my folder of outstanding issues was mostly individual
> emails.  I had an outstanding request for data from this WG on the
> number of internal-to-external POST requests.  Out of a sample of one
> million HTTP requests from an enterprise firewall:
>
> 1) 6% of the GET+POST requests were POST.
> 2) 10% of POSTs are cross-host.
> 3) There was exactly one POST from an internal host to an external  
> host.
>
> Caveats: I can't see HTTPS traffic with this methodology.  Different
> enterprises might be different.  The enterprise in question does trip
> the Referer header (although I collected the data prior to stripping).
>
> Adam
>

--
Mark Nottingham     http://www.mnot.net/

Received on Tuesday, 1 September 2009 03:38:38 UTC