- From: Mike Bishop <Michael.Bishop@microsoft.com>
- Date: Fri, 22 Sep 2017 21:59:50 +0000
- To: Patrick McManus <pmcmanus@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>, mnot <mnot@mnot.net>, Erik Nygren <erik@nygren.org>
- Message-ID: <MWHPR21MB01413DA10C52AC2C233BE63887670@MWHPR21MB0141.namprd21.prod.outlook.com>
I’ve already participated in the DNS-skipping discussion, which I think is the thorniest issue here, so my remaining feedback is reasonably contained. * I’ll second the parallel fork’s suggestion to change “zero to many” => “zero or more”. * I’m a little surprised that the value before receiving an ORIGIN frame isn’t the set of origins in the certificate. If the behavior is expected to be different in some manner for an uninitialized set, we should specify that case. If not, why not simplify the logic by initializing the set? * The initialization on receipt of the first ORIGIN frame having the wrong port in the case of Alt-Svc feels a bit weird. Given that this is an H2 extension, and H2 includes the port in the :authority pseudo-header, why is this not initialized to the authority (including port) of the origin for which the connection was generated? Otherwise, we wind up considering the server authoritative for an origin for which the server has never claimed to be authoritative. While I can’t think of an obvious attack, this feels like an opening that’s asking to be exploited some day. * Section 4 contains two nearly-identical paragraphs that probably should be merged and duplicative text trimmed. * Each version of that paragraph contains an OUGHT TO which needs to be capitalized, and the appropriate RFC 6919 reference text added to Section 1.1. 😉 ________________________________ From: Patrick McManus [mailto:pmcmanus@mozilla.com] Sent: Tuesday, September 12, 2017 11:34 AM To: HTTP Working Group <ietf-http-wg@w3.org>; mnot <mnot@mnot.net>; Erik Nygren <erik@nygren.org> Subject: Working Group Last Call The ORIGIN HTTP/2 Frame Gentlefolk of HTTPbis, The authors and myself (as chair) have decided that https://datatracker.ietf.org/doc/draft-ietf-httpbis-origin-frame/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-httpbis-origin-frame%2F&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C4d24e81d80ad4d1a0cb708d4fa0d3999%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636408382312405354&sdata=sjQ8gZAWjWPL1B6vCNJDzdU3TW%2BNWrNSLieeceQysaY%3D&reserved=0> (-04) is ready for the working group last call. Please review it and raise any issues on the list over the next two weeks. The most recent changes are focused in the security considerations. There are currently no open issues in the github tracker. WGLC will end on October 01, 2017. Thanks -Patrick
Received on Friday, 22 September 2017 22:00:15 UTC