Re: [#95] Multiple Content-Lengths

On Mon, Sep 20, 2010 at 2:06 AM, Mark Nottingham <> wrote:
> As long as the browser does the right thing with the response, it doesn't matter whether the user is made aware.
> I.e., if we require the UA not to display / use the response (upgrade the first SHOULD to a MUST), the second becomes irrelevant, and as Anne says we can reduce the second part to advisory text.
> The question is whether there's a legitimate case for ignoring the fact that response smuggling could be happening. Given that two browser vendors already don't seem to think there is, I think this is a good direction to go in.

In general, making this kinds of decision is very mechanical.  We run
an experiment to assess the compatibility impact of making the change.
 We then compare the compatibility impact with the severity of the
issue we'd mitigate by making this change.  In this case, the severity
is somewhere between "moderate" and "low" according to our usual
severity guidelines.  That means we'd like to see a compatibility
impact of something like < 0.001% of HTTP responses.

We have nice infrastructure for running these experiments, both in the
Chromium project and in Firefox.  I'm sure if you ask someone at
Mozilla, they'd be happy to run the experiment using TestPilot.


Received on Monday, 20 September 2010 09:20:57 UTC