- From: 安福一樹 <kazuki_yasufuku@dwango.co.jp>
- Date: Fri, 06 Apr 2018 06:57:40 +0000
- To: ietf-http-wg@w3.org
- Message-Id: <CANafxVH17rpt+5PZ-XS8ycpTLKqz3dWGY_0mA7xAhYump7a0gg@mail.gmail.com>
Hello I am a developer of this HTML5 game upload site https://game.nicovideo.jp/atsumaru/ <https://game.nicovideo.jp/atsumaru/> I have some question about RFC7540 section 10.5.1. Why server "CAN" send an HTTP 431 status code when receives a larger header block (not MUST)? In http/1.1 connection, server MUST respond 4xx status code when receives a larger header.(RFC7230) So, if user access a site that can upload any javascript code, and get large cookies, then we can send customized HTTP 4xx response which contains erasing cookie code. But, in http/2, server does not need to send HTTP 431 response, we will not have a chance to erase cookies. In actual implementaion, nginx will terminate http/2 session with ENHANCE_YOUR_CALM error without any HTTP responses, so chrome will display "cannot connect to server", So, we cannot send response which contains erasing cookie code to user who plays a game contains "Cookie Bomb". So, we have two questions. first question: why changed the text from "CAN" to "MUST" when recieves a large cookies(headers). second question: is this problem an implementation issue or a specification problem? Sincerely, Kazuki Yasufuku -- ******************************************* Kazuki Yasufuku Software Engeneer, UGC game platform section DWANGO Co., Ltd. E-MAIL:kazuki_yasufuku@dwango.co.jp <mailto:E-MAIL%3Akazuki_yasufuku@dwango.co.jp> *******************************************
Received on Friday, 6 April 2018 14:15:22 UTC