- From: Mark Nottingham <mnot@mnot.net>
- Date: Mon, 20 Sep 2010 19:06:10 +1000
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Anne van Kesteren <annevk@opera.com>, Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
As long as the browser does the right thing with the response, it doesn't matter whether the user is made aware. I.e., if we require the UA not to display / use the response (upgrade the first SHOULD to a MUST), the second becomes irrelevant, and as Anne says we can reduce the second part to advisory text. The question is whether there's a legitimate case for ignoring the fact that response smuggling could be happening. Given that two browser vendors already don't seem to think there is, I think this is a good direction to go in. Cheers, P.S. As an aside, it may be good to tighten up our language around user interaction, if we still are left with any requirements for it at the end. On 20/09/2010, at 6:46 PM, Julian Reschke wrote: > On 20.09.2010 10:27, Anne van Kesteren wrote: >> ... >> I'm not quite familiar with our code here, but if I understand the bug >> report below most (if not all) browsers do not implement any of the >> above. That does not seem good. Also, a SHOULD seems way too strong; >> even if we would report HTTP errors in an error console in most cases >> the user will not be informed at all. If I remember correctly, HTML5 >> typically uses MAY for such cases and a MUST for conformance checkers. >> ... > > "MAY" is useless here, of course UAs "MAY" inform the user about just anything. > > The reason why this is discussed at all (*) is that it's a *security* issue, and also recovery from this kind of problem isn't really possible. > > Best regards, Julian > > (*) as compared to a broken date, for instance. -- Mark Nottingham http://www.mnot.net/
Received on Monday, 20 September 2010 09:06:48 UTC