- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 20 Sep 2010 02:19:57 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Julian Reschke <julian.reschke@gmx.de>, Anne van Kesteren <annevk@opera.com>, Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
On Mon, Sep 20, 2010 at 2:06 AM, Mark Nottingham <mnot@mnot.net> wrote: > As long as the browser does the right thing with the response, it doesn't matter whether the user is made aware. > > I.e., if we require the UA not to display / use the response (upgrade the first SHOULD to a MUST), the second becomes irrelevant, and as Anne says we can reduce the second part to advisory text. > > The question is whether there's a legitimate case for ignoring the fact that response smuggling could be happening. Given that two browser vendors already don't seem to think there is, I think this is a good direction to go in. In general, making this kinds of decision is very mechanical. We run an experiment to assess the compatibility impact of making the change. We then compare the compatibility impact with the severity of the issue we'd mitigate by making this change. In this case, the severity is somewhere between "moderate" and "low" according to our usual severity guidelines. That means we'd like to see a compatibility impact of something like < 0.001% of HTTP responses. We have nice infrastructure for running these experiments, both in the Chromium project and in Firefox. I'm sure if you ask someone at Mozilla, they'd be happy to run the experiment using TestPilot. Adam
Received on Monday, 20 September 2010 09:20:57 UTC