- From: Michael Sweet <msweet@apple.com>
- Date: Mon, 02 Jun 2014 10:51:14 -0400
- To: Greg Wilkins <gregw@intalio.com>
- Cc: Roberto Peon <grmocg@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Received on Monday, 2 June 2014 14:51:46 UTC
Greg,
On Jun 2, 2014, at 10:13 AM, Greg Wilkins <gregw@intalio.com> wrote:
> ...
> However, my concerns remain about the unconstrained size of the headers that servers must hold; the fact that they are not flow controlled (which will encourage the unconstrained size usage); that they cannot be interleaved creating an easy DOS vector; that they must be processed serially. I also currently think it is worth evaluating separating the transport meta-data from other meta data.
Given the default header table size of 4k, I'm guessing that those cookies will get tossed (sorry, couldn't resist :) pretty easily with a shared connection.
Another potential issue (good for header tables but not so good for compression) is the usage of cookies as security tokens ("login cookies"): I wonder whether browsers will end up sending those headers using the 'no index' encoding to avoid CRIME-like attacks? (although that would likely be a bit harder to exploit than the CRIME attacks)
_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
Received on Monday, 2 June 2014 14:51:46 UTC