Re: Op-sec simplification from Mark Nottingham on 2016-10-31 (ietf-http-wg@w3.org from October to December 2016)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 1 Nov 2016 09:41:56 +1100
To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
Message-Id: <842E817E-77E4-45E0-B5E3-D45F8D7AFA15@mnot.net>

Hold on -- are we layering in a new requirement to use the absolute form of the URL?

That's going to cause issues with a number of client and server side implementations that don't have control over or access to the precise form of the URL on the wire.

It also violates a MUST in 7230, 5.3.1:

"""
When making a request directly to an origin server, other than a CONNECT or server-wide OPTIONS request (as detailed below), a client MUST send only the absolute path and query components of the target URI as the request-target. If the target URI's path component is empty, the client MUST send "/" as the path within the origin-form of request-target.
"""

Cheers,



> On 31 Oct. 2016, at 4:32 pm, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote:
> 
> | https://github.com/httpwg/http-extensions/pull/254
> | 
> | The main changes:
> | 
> |  - the .well-known resource is a flat list of origins
> 
> ( no comment about that yet. )
> 
> |  - the client only needs to acquire a .wk from the secured server
> 
> Hmm. Reading it from original and from the secured server
> gives little more verify that they really are giving same answers.
> 
> | - the draft explicitly allows HTTP/1.1
> 
> https://github.com/httpwg/http-extensions/blob/967aa51e513e4a2eea39ce6b2a37789be05c9483/draft-ietf-httpbis-http2-encryption.md#using-http-uris-over-tls
> 
> | Note that HTTP/1.1 requests MUST use the absolute form (see Section 5.3.2 of {{RFC7230}}).
> 
> Yes, I suggested that.
> 
> Example needs also to use absolute form here:
> 
> https://github.com/httpwg/http-extensions/blob/967aa51e513e4a2eea39ce6b2a37789be05c9483/draft-ietf-httpbis-http2-encryption.md#alternative-server-opt-in-auth
> 
> | GET /.well-known/http-opportunistic HTTP/1.1
> | Host: www.example.com
> 
> 
> ( I think that I mentioned that example also. )
> 
> So it should be
> 
> | GET http://www.example.com/.well-known/http-opportunistic HTTP/1.1
> | Host: www.example.com
> 
> 
> ( Seems that "Host" header is required also when absolute form is used. 
>  That I missed last time
>  https://lists.w3.org/Archives/Public/ietf-http-wg/2016OctDec/0097.html
> )
> 
> / Kari Hurtta
> 
> 

--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 31 October 2016 22:42:30 UTC