W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Header Size? Was: Our Schedule

From: Michael Sweet <msweet@apple.com>
Date: Mon, 02 Jun 2014 10:51:14 -0400
Cc: Roberto Peon <grmocg@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-id: <6D8F8CF6-9537-4470-B367-0F41B536F50A@apple.com>
To: Greg Wilkins <gregw@intalio.com>
Greg,

On Jun 2, 2014, at 10:13 AM, Greg Wilkins <gregw@intalio.com> wrote:
> ...
> However, my concerns remain about the unconstrained size of the headers that servers must hold; the fact that they are not flow controlled (which will encourage the unconstrained size usage); that they cannot be interleaved creating an easy DOS vector; that they must be processed serially.  I also currently think it is worth evaluating separating the transport meta-data from other meta data.

Given the default header table size of 4k, I'm guessing that those cookies will get tossed (sorry, couldn't resist :) pretty easily with a shared connection.

Another potential issue (good for header tables but not so good for compression) is the usage of cookies as security tokens ("login cookies"): I wonder whether browsers will end up sending those headers using the 'no index' encoding to avoid CRIME-like attacks? (although that would likely be a bit harder to exploit than the CRIME attacks)

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair


Received on Monday, 2 June 2014 14:51:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC