- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Sat, 1 Feb 2014 12:59:29 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Rob Trace <Rob.Trace@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>, Magnus Nystrom <mnystrom@microsoft.com>, Eric Rescorla <ekr@rtfm.com>
On 31 January 2014 22:09, Adam Barth <w3c@adambarth.com> wrote: > it requires downstream technologies to maintain more invariants in order to > avoid leaking sensitive information. After continuing this discussion offline, this remains my biggest concern. While it might be true that HPACK can be used safely, any impact on users of the protocol will have to be carefully monitored. However, I don't believe that any change in the requirements for proper use would be necessarily be the end of HPACK. We need to understand what those changes might be and make an evaluation about whether the advantages outweigh the costs. It might be that we conclude that HPACK is a bad idea, period. I consider that unlikely, because the browser isn't the only place HTTP is used. More likely we will need to find a set of restrictions on its use. It might be that we don't use HPACK for browsing. Again, that doesn't sound ideal, but if we can't find a set of restrictions on use that we're willing to implement, then that's where we will likely end up.
Received on Saturday, 1 February 2014 20:59:56 UTC