- From: Mark Nottingham <mnot@mnot.net>
- Date: Mon, 20 Sep 2010 19:27:32 +1000
- To: Adam Barth <w3c@adambarth.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, Anne van Kesteren <annevk@opera.com>, Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
I was thinking along similar lines -- if Google (etc.) could check across their repositories (assuming that the information is collected). I'll ask them if they can run a test. Thanks, On 20/09/2010, at 7:19 PM, Adam Barth wrote: > On Mon, Sep 20, 2010 at 2:06 AM, Mark Nottingham <mnot@mnot.net> wrote: >> As long as the browser does the right thing with the response, it doesn't matter whether the user is made aware. >> >> I.e., if we require the UA not to display / use the response (upgrade the first SHOULD to a MUST), the second becomes irrelevant, and as Anne says we can reduce the second part to advisory text. >> >> The question is whether there's a legitimate case for ignoring the fact that response smuggling could be happening. Given that two browser vendors already don't seem to think there is, I think this is a good direction to go in. > > In general, making this kinds of decision is very mechanical. We run > an experiment to assess the compatibility impact of making the change. > We then compare the compatibility impact with the severity of the > issue we'd mitigate by making this change. In this case, the severity > is somewhere between "moderate" and "low" according to our usual > severity guidelines. That means we'd like to see a compatibility > impact of something like < 0.001% of HTTP responses. > > We have nice infrastructure for running these experiments, both in the > Chromium project and in Firefox. I'm sure if you ask someone at > Mozilla, they'd be happy to run the experiment using TestPilot. > > Adam -- Mark Nottingham http://www.mnot.net/
Received on Monday, 20 September 2010 09:28:03 UTC