- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 25 Apr 2014 10:51:05 +1000
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Cc: Kathleen Moriarty <kathleen.moriarty@emc.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
In the London meeting, some folks expressed concern about the security implications of using GZIP in HTTP. We're tracking this as <https://github.com/http2/http2-spec/issues/423>. As you can see there, we've updated Security Considerations to address compression issues -- <http://http2.github.io/http2-spec/#rfc.section.10.6> Does this address the concern adequately? Cheers, P.S. For those who haven't been following, payload compression in HTTP/2 can happen two ways: 1) end-to-end using Content-Encoding (just as with HTTP/1.1), and 2) hop-by-hop, using the compression flag on DATA frames; see <http://http2.github.io/http2-spec/#DATA> (2) is new, and analogous to Transfer-Encoding: gzip in HTTP/1.1. However, it's frame-by-frame, not message-by-message; that is, compression dictionaries are not shared between frames, even if those frames coalesce to form a single HTTP message. -- Mark Nottingham http://www.mnot.net/
Received on Friday, 25 April 2014 00:50:08 UTC