W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2018

Question about RFC7540 (HTTP/2) section 10.5.1

From: 安福一樹 <kazuki_yasufuku@dwango.co.jp>
Date: Fri, 06 Apr 2018 06:57:40 +0000
Message-Id: <CANafxVH17rpt+5PZ-XS8ycpTLKqz3dWGY_0mA7xAhYump7a0gg@mail.gmail.com>
To: ietf-http-wg@w3.org
Hello

I am a developer of this HTML5 game upload site https://game.nicovideo.jp/atsumaru/ <https://game.nicovideo.jp/atsumaru/>
I have some question about RFC7540 section 10.5.1.
Why server "CAN" send an HTTP 431 status code when receives a larger header block (not MUST)?

In http/1.1 connection, server MUST respond 4xx status code when receives a larger header.(RFC7230)
So, if user access a site that can upload any javascript code, and get large cookies, then we can send customized HTTP 4xx response which contains erasing cookie code.
But, in http/2, server does not need to send HTTP 431 response, we will not have a chance to erase cookies.

In actual implementaion, nginx will terminate http/2 session with ENHANCE_YOUR_CALM error without any HTTP responses, so chrome will display "cannot connect to server", 
So, we cannot send response which contains erasing cookie code to user who plays a game contains "Cookie Bomb".

So, we have two questions.
first question: why changed the text from "CAN" to "MUST" when recieves a large cookies(headers).
second question: is this problem an implementation issue or a specification problem?

Sincerely,

Kazuki Yasufuku

-- 
*******************************************

Kazuki Yasufuku

Software Engeneer, UGC game platform section

DWANGO Co., Ltd.
E-MAIL:kazuki_yasufuku@dwango.co.jp <mailto:E-MAIL%3Akazuki_yasufuku@dwango.co.jp>
*******************************************
Received on Friday, 6 April 2018 14:15:22 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:59 UTC