- From: James M Snell <jasnell@gmail.com>
- Date: Wed, 18 Jul 2012 13:35:48 -0700
- To: ietf-http-wg@w3.org
- Message-ID: <CABP7RbfFj__CeriiJA-caEda_h0K5b__oj6-zYRuA=BgSofuhA@mail.gmail.com>
Just need a few clarifications as I've been going through the spec... some of these are probably obvious but I wanted to get the "official" answer... 1. Section 3.2 HTTP Request/Response is fairly under-defined. For example... - are all request headers REQUIRED to be contained within the SYN_STREAM or can some be pushed off to additional HEADERS frames? Likewise with SYN_REPLY frames. - is it possible to interleave HEADERS and DATA frames within a request or response Stream? (I noticed discussion of this with regards to server-push, but did not see any discussion of it with regards to regular http methods) - Since SPDY effectively eliminates Transfer-Encodings, are Trailers still allowed? That is, for example, what if I wanted to send a HEADERS frame containing a Content-Integrity header following a set of DATA frames? (Personal Opinion: it should be possible to interleave HEADERS anywhere into the stream. With a few specific exceptions, It should also be possible to override a given headers value by sending another instance of the header along later in the same stream. Doing so raises the possibility of more efficient multipart encodings, incremental data-integrity checks, etc) 2. Just for the sake of clarity, what is the expected behavior if a user-agent interleaves multiple modification requests to the same resource? For instance: => SYN_STREAM(id=1,:method=PUT,:path=/my/resource) => SYN_STREAM(id=2,:method=DELETE,:path=/my/resource) => SYN_STREAM(id=3,:method=POST, :path=/my/resource) While this may appear on the surface to be a silly question, it speaks to a fundamental issue of allowing unsafe/non-idempotent methods to be multiplexed, particularly if the processing order for requests interleaved on a single connection is indeterminate. From draft-ietf-httpbis-p1-messaging-20 6.3.2.2: Clients SHOULD NOT pipeline requests using non-idempotent request methods or non-idempotent sequences of request methods (see Section 2.1.2 of [Part2]). Otherwise, a premature termination of the transport connection could lead to indeterminate results. A client wishing to send a non-idempotent request SHOULD wait to send that request until it has received the response status line for the previous request. 3. How are Informational 1xx Status Codes handled? The current SPDY draft does not appear to support "provisional responses". 4. Note that the Upgrade header as currently defined within HTTP/1.1 will need to be revisited. In fact, as currently defined, Upgrade is incompatible with SPDY. 5. There's a fairly obvious security DoS concern about allowing a user agent to multiplex multiple ranged GETs over a single connection. See draft-ietf-httpbis-p5-range-20 Section 7.1 on "Overlapping Ranges". 6. It's good that Section 5.4 deals with cache control validation with server push but the requirement needs to be made stronger. If the originating stream utilizes any content negotiation mechanisms at all, and those mechanisms impact the selection of resources that are pushed to the client, the *server* MUST include an appropriate Vary header with the pushed content. Right now, the spec states only that "browsers MUST be careful to inherit request headers" ... but that leaves out any possible intermediary caches along the way, which can obviously cause major problems. 7. What methods can trigger a server push? For instance, if I send a POST request, is it possible for the server to respond with a push? For example, I send a POST to a server to modify an image. In response to the POST, the server returns a 200 OK with a page describing the changes and pushes the modified image resource in a separate stream. Or are pushes only triggered by GET requests? What are the conditions in which a push would be considered inappropriate? - James
Received on Wednesday, 18 July 2012 20:36:36 UTC