Cache-Control: no transform request header and response transformations from Yoav Weiss on 2018-08-31 (ietf-http-wg@w3.org from July to September 2018)

From: Yoav Weiss <yoav@yoav.ws>
Date: Fri, 31 Aug 2018 17:56:44 +0200
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Cc: Charles Vazac <cvazac@gmail.com>
Message-ID: <CACj=BEhWgZAXp56yq2HmYANLfCcWY3-XRh16BnG9xQrqsMXcsQ@mail.gmail.com>

Hello,

As part of SRI <https://github.com/w3c/webappsec-subresource-integrity>,
browsers became sensitive to response transformations, and HTTP servers
need to be aware of that, and avoid such transformations.

That's true for intermediaries, CDNs, as well as for HTTP servers which may
want to apply optimizations but are not be aware of the content that they
are serving.

Previously the SRI spec required requests for SRI resources to include a
`cache-control: no-transform` headers, to indicate that to servers.

However, as Mark pointed out
<https://github.com/w3c/webappsec/issues/217#issuecomment-111945173>, the
current language says that servers shouldn't apply transformations "to the
payload", presumably the request's payload.

Would there be any objections to correcting that language, and changing
those semantics, such that the `no-transform` semantics of requests also
apply to the eventual response?

Any reason we shouldn't do that?

Cheers,
Yoav

Received on Friday, 31 August 2018 15:57:18 UTC