W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Design Issue: Overlong Frames

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 10 May 2013 10:36:41 -0700
Message-ID: <CABkgnnXZY7aSRmVb-GsfDVpq3+cNXRh_MeUipWGVHUwQreUV6g@mail.gmail.com>
To: James M Snell <jasnell@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 9 May 2013 10:26, James M Snell <jasnell@gmail.com> wrote:
> Recommendation: Adding a short statement that a PROTOCOL_ERROR MUST be
> returned if a frame contains more bytes than what is expressly
> specified in the frame definition.

That would prevent extension unnecessarily.  And it doesn't do
anything to improve security.

When you want to harden security, you need to consider what equivalent
options are available to an attacker.  If I wanted to send you more
data, then I will use DATA frames.  Unless you can find a way to
curtail DATA I see no reason to clamp down here.
Received on Friday, 10 May 2013 17:37:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:11 UTC