Re: [#95] Multiple Content-Lengths

I was thinking along similar lines -- if Google (etc.) could check across their repositories (assuming that the information is collected).

I'll ask them if they can run a test.


On 20/09/2010, at 7:19 PM, Adam Barth wrote:

> On Mon, Sep 20, 2010 at 2:06 AM, Mark Nottingham <> wrote:
>> As long as the browser does the right thing with the response, it doesn't matter whether the user is made aware.
>> I.e., if we require the UA not to display / use the response (upgrade the first SHOULD to a MUST), the second becomes irrelevant, and as Anne says we can reduce the second part to advisory text.
>> The question is whether there's a legitimate case for ignoring the fact that response smuggling could be happening. Given that two browser vendors already don't seem to think there is, I think this is a good direction to go in.
> In general, making this kinds of decision is very mechanical.  We run
> an experiment to assess the compatibility impact of making the change.
> We then compare the compatibility impact with the severity of the
> issue we'd mitigate by making this change.  In this case, the severity
> is somewhere between "moderate" and "low" according to our usual
> severity guidelines.  That means we'd like to see a compatibility
> impact of something like < 0.001% of HTTP responses.
> We have nice infrastructure for running these experiments, both in the
> Chromium project and in Firefox.  I'm sure if you ask someone at
> Mozilla, they'd be happy to run the experiment using TestPilot.
> Adam

Mark Nottingham

Received on Monday, 20 September 2010 09:28:03 UTC