- From: Van Catha <vans554@gmail.com>
- Date: Sat, 1 Oct 2016 15:18:49 -0400
- To: Ilari Liusvaara <ilariliusvaara@welho.com>
- Cc: HTTP working group mailing list <ietf-http-wg@w3.org>
- Message-ID: <CAG-EYChPJpAzoEuNwY3cNz503d0FRbNnDx_9AsNsZyfb5nmN0g@mail.gmail.com>
> Is there request header to request no caching? There is certainly a
> response header to request no caching.
I believe there is no request that can specify "don't cache", but I may be
wrong.
> Or perhaps use a dedicated method? It would seem pretty obivous that
> if you see a unknown method, you shouldn't assume very much about what
> it is.
I think adding/using an unconventional method will be way beyond the scope
of what
is presented. I do not think anyone will implement that?
> Unfortunately, HTTP/2 does not have strict scheme handling like I
> proposed. With it, one could just have directly used the wss scheme
> (or ws for oppsec) and be done with it.
:scheme is perfect! Wow. If we could pass ws/wss for example as the scheme
that
fits perfectly. Looking at https://tools.ietf.org/html/rfc3986#section-3.1
the spec for schemes
it seems ws and wss are perfectly valid schemes to use and are registered;
http://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml.
If we wanted to pass ws2, we would have to register the scheme which I think
should not be a problem. As ws2 will not be backwards compatible with
ws/wss. Would wss2 need to be included as well in this case?
So in the current state of affairs, using wss as the scheme over HTTP/2
will default to using
WebSocket2. Using ws as the scheme will default to WebSocket2 as well (for
backwards compat).
So if the client API uses WebSocket("ws://my-http2-server.com/channel") or
wss, both should
go to WebSocket2.
Where is the problem in HTTP/2 that would disallow schemes different from
http and https, I do not see
anything related to this?
> It seems to me that using https:// GET here is rather dangerous. Even with
> extra custom headers.
Any alternative suggestion?
On Sat, Oct 1, 2016 at 2:47 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:
> On Sat, Oct 01, 2016 at 02:20:38PM -0400, Van Catha wrote:
>
> > The proxy problem circles around back to the implementation. Perhaps a
> > header in the request could be included saying to not cache anything, if
> > the proxy caches things well its the proxies fault. Also if the proxy is
> > not aware of WebSocket2 this should not matter, the proxies job is to
> > forward everything as it came. As long as the proxy would forward the
> > websocket2-[version|compression] headers to the server and forward what
> the
> > server replies with there should be no problems. Again if the proxy is
> > "smart" and decides to cache the response (which did not specify any
> > headers related to caching) its the proxies fault. To be more direct the
> > response may be forced to include headers specifically instructing
> nothing
> > should be cached. Does this work?
>
> Is there request header to request no caching? There is certainly a
> response header to request no caching.
>
> Or perhaps use a dedicated method? It would seem pretty obivous that
> if you see a unknown method, you shouldn't assume very much about what
> it is.
>
> > I am thinking using SETTINGS frames would be too complex, as that would
> > require baking WebSocket2 directly into HTTP/2, the way it is now,
> > WebSocket2 should run over HTTP/2 with minimal resistance since we do not
> > introduce new settings or HTTP/2 frame types. HTTP/2 was designed from
> the
> > very beginning to not support 2 way streaming like websocket provides
> > currently for HTTP/1.1. I think the resistance would be great if adding
> > WebSocket2 requires adding to the actual HTTP/2 specification.
>
> Unfortunately, HTTP/2 does not have strict scheme handling like I
> proposed. With it, one could just have directly used the wss scheme
> (or ws for oppsec) and be done with it.
>
> > If origin server does not know about WebSocket2 and the request succeeds
> > that is indeed a problem. Perhaps the server can reply with the error
> > header always like websocket2-error: okay; in the case when the
> WebSocket2
> > negotation was a success. This way an origin server without WebSocket2
> will
> > reply with 200, and the client will see there is no websocket2-error:
> okay;
> > header and promptly notify the client that WebSocket2 negotiation failed.
>
> It seems to me that using https:// GET here is rather dangerous. Even with
> extra custom headers.
>
>
> -Ilari
>
Received on Saturday, 1 October 2016 19:19:18 UTC