- From: <K.Morgan@iaea.org>
- Date: Mon, 31 Mar 2014 19:48:58 +0000
- To: <martin.thomson@gmail.com>
- CC: <atlunde@panix.com>, <cory@lukasa.co.uk>, <zhong.j.yu@gmail.com>, <ietf-http-wg@w3.org>, <C.Brunhuber@iaea.org>
On Mar 31, 2014, at 18:31, martin.thomson@gmail.com<mailto:martin.thomson@gmail.com> wrote: At this stage, I consider it highly unlikely that an attack is found whereby compression has to be globally disabled. Agreed. I said "very" unlikely - but I should have said "highly" unlikely. I'd think it unlikely that the working group would ... remove the implicit opt-in. I agree, but why not allow a client to explicitly opt out of gzip? In rfc 2616, clients may opt out of the implicit "identity" content-coding by sending "identity;q=0" (see section 14.3 rule #4 at https://tools.ietf.org/html/rfc2616#section-14.3) I suggest the following based on the exact wording from rfc 2616 14.3 rule #4 ... The "identity" and "gzip" content-codings are always acceptable, unless specifically refused because the Accept-Encoding field includes "identity;q=0", or "gzip;q=0" respectively, or because the field includes "*;q=0" and does not explicitly include the "identity" or "gzip" content-codings respectively. If the Accept-Encoding field-value is empty, then only the "identity" or "gzip" encodings are acceptable. This email message is intended only for the use of the named recipient. Information contained in this email message and its attachments may be privileged, confidential and protected from disclosure. If you are not the intended recipient, please do not read, copy, use or disclose this communication to others. Also please notify the sender by replying to this message and then delete it from your system.
Received on Monday, 31 March 2014 19:49:37 UTC