- From: Ryan Sleevi <ryan-ietf@sleevi.com>
- Date: Fri, 31 Aug 2018 10:58:10 -0400
- To: felixh@fb.com
- Cc: Mark Nottingham <mnot@mnot.net>, jyrki@google.com, chaals@yandex-team.ru, eustas@google.com, Vlad Krasnov <vlad@cloudflare.com>, terrelln@fb.com, cyan@fb.com, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-ID: <CAErg=HH7bqarp4e=mj_4rSfJwi6ycECOT1Wf1t-HttGAzO8RJw@mail.gmail.com>
On Fri, Aug 24, 2018 at 6:24 AM Felix Handte <felixh@fb.com> wrote: > For our own part, we find ourselves drawn towards a solution that makes a > lot of the same choices as SDCH. That is, one that treats dictionaries as > explicit resources that can be dynamically advertised by an origin, fetched > and cached by a client, and then negotiated to be used in > requests/responses between the two. The ability to treat a previous, cached > response as a base on which to apply a "diff" (negotiated by ETag?) is also > attractive to us. > I would strongly advise against such solutions, as they are a significant part of why SDCH support was removed from browsers. I think, to the set of concerns you need to consider in any such solution (which, in my mind, demonstrating the security concerns can be mitigated is paramount of those), you need to define not only the interaction in the 'simple' HTTP sense of Request/Response pairs, but also in the complexity of those interactions as they apply to browsers, for which concerns like same-origin versus cross-origin apply, the re-ordering of requests, and the potential of multiple requests proceeding simultaneously (which H/2 also has to countenance). This also further interacts with models of cache storage and in-memory representation - challenges such as "What happens if a dictionary expires midway during the processing of a response" were fairly fatal, as were the issues around TOCTOU - that is, advertising a dictionary from a request, making a request with said dictionary, and finding it was evicted from the cache prior to the response. Models such as the approach by vkrasnov h2-compression-dictionaries are substantially superior in these respects, because it more closely models and defines these interactions, through the association with and scoping to a single H/2 resource. It might be that your concern is not the dominant HTTP case of browsers, in which case, it may be fine to ignore these. But I think, from the experiences implementing and maintaining SDCH, models that approximate that space (of resourced dictionaries, advertisements, etc) are likely to be too great an implementation cost, and too great a cognitive cost to the predictability of the platform, to see any meaningful adoption. Of course, this is all after the security concerns are mitigated ;)
Received on Friday, 31 August 2018 15:51:03 UTC