W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: chunk-extensions

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 13 Sep 2013 15:01:31 -0700
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <AF84D601-425D-42C2-8B23-5060AE18B899@gbiv.com>
To: Mark Nottingham <mnot@mnot.net>
On Oct 21, 2010, at 7:29 PM, Mark Nottingham wrote:

> What do people think about deprecating the use of chunk-extensions -- i.e., requiring that they be consumed, but not produced?
> 
>     chunk          = chunk-size *WSP [ chunk-ext ] CRLF
>                      chunk-data CRLF
>     chunk-size     = 1*HEXDIG
>     last-chunk     = 1*("0") *WSP [ chunk-ext ] CRLF
> 
>     chunk-ext      = *( ";" *WSP chunk-ext-name
>                         [ "=" chunk-ext-val ] *WSP )
>     chunk-ext-name = token
>     chunk-ext-val  = token / quoted-str-nf
> 
> I haven't seen any practical uses for them, and haven't seen any implementations that do anything with them other than throw them away. 

http://trac.tools.ietf.org/wg/httpbis/trac/ticket/343

I know this was closed a long time ago, but I have never been
comfortable with the idea of deprecating chunk-ext.  They were
originally intended to allow per-chunk signatures or hashes,
similar to those used in the Wave protocol.  More recently, they
have been considered as a potential solution to BREACH-style
attacks, specifically when a compression transfer encoding is
used within a TLS-secured connection. [There are other solutions,
of course, like changing the compression algorithms or changing
TLS, but chunk-ext is easier to deploy on a per-hop basis.] 

I am concerned that we might be deprecating something that will
be needed if we get widespread deployment of transfer-encoding
compression (instead of content-encoding compression).  Moreover,
recipients don't actually gain anything from this deprecation,
since they have to continue parsing for chunk-ext to remain
compatible.

Does anyone else share that concern?  It would be different if
we knew of systems that actually break on receipt of chunk-ext,
but I am not aware of any.


Cheers,

Roy T. Fielding                     <http://roy.gbiv.com/>
Senior Principal Scientist, Adobe   <https://www.adobe.com/>
Received on Friday, 13 September 2013 22:01:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC