Re: Frame Length Restrictions

>
>
> > Now, if I operate under the assumption that an adversary can force my
> server
> > to produce full size frames, [...]
>
> This is where we have the disconnect.  If an adversary has that much
> control over your code, I don't trust *anything* you are sending me.
> What's padding going to do to help then?
>

My assumption here, is similar to BREACH, user input can be reflected in
HTTP response bodies, which the upstream servers naively split into 16K
data frames using whatever HTTP/2 library they have chosen.

Received on Tuesday, 22 April 2014 00:02:14 UTC