- From: Roberto Peon <grmocg@gmail.com>
- Date: Wed, 28 May 2014 12:28:39 -0700
- To: Yoav Nir <ynir.ietf@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAP+FsNeXHMd5d-apNhbfZ311wJmL0oFPZ7+OqHVR1KZnKMf+2Q@mail.gmail.com>
I can't answer why for everyone, but yes, for this part at least, the motivation was to be able to deploy an HTTP2 proxy that wouldn't break any of our consumers, be they clients or servers. I'm not convinced that large headers are an abuse of the protocol, btw. There were some uses that I had to shake my head at and admit that there weren't many other reasonable ways around it, e.g. clearing out all possible permutations of all cookie-names, so that an auth cookie could actually be successfully registered. Certainly, that particular problem could be solved in a different way with HTTP/2, but it would require changing other semantics, and would require the server to realize there was a difference, which would cause deployment headaches, etc. For all I know this has been fixed by additions to HTTP of which I'm unaware. I'll note that it is definitely a rare case, but when I saw it used, it was also important for user interaction (else one would have to somehow communicate to the user that they'd have to blow away their cache). In cases where it is unexpected, I'd expect an endpoint to take action to shutdown the stream. Attacks, whether malicious or not, are a fact of life, and it is good to be able to identify them and blow them away without affecting other users overly much. -=R On Wed, May 28, 2014 at 12:18 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > > On May 28, 2014, at 8:40 PM, Roberto Peon <grmocg@gmail.com> wrote: > > The DoS surface with HTTP headers is not increased over HTTP/1 (which also > would suffer from a requirement to tear down the transport when that kind > if thing happens, unlike HTTP2). > > I believe I've mentioned before seeing rare, but multi-Mb headers in the > past. We had, before that experience, amusingly assumed that 16k was enough > for anyone, and were wrong by orders of magnitude. > > So I’m wondering. Some of us (not all) seem to be OK with telling some use > cases to stick with HTTP/1, like printing or IoT or many of the other > places that are outside HTTP/2 “design space”. Why are we going to such > lengths to support this abuse of the protocol. Is it just because HTTP/1 > allows it? > > Yoav > > >
Received on Wednesday, 28 May 2014 19:30:25 UTC