Hi Mark, Thanks for the quick response. Response-responses are inline. I removed sections that seem resolved. Thanks! Ben > On Dec 19, 2018, at 7:56 PM, Mark Nottingham <mnot@mnot.net> wrote: > > Hi Ben, > >> On 20 Dec 2018, at 10:58 am, Ben Campbell <ben@nostrum.com> wrote: >> >> *** Substantive Comments *** > [...] > >> -- last paragraph: "To be effective, intermediaries - including >> Content Delivery Networks - MUST NOT remove this header field," >> >> Does that put normative requirements on things that do not implement the spec? > > That's a good question. If this is an issue, I think we could address it by either updating RFC7231, or removing the requirement and making this prose. > > Do people have a preference there? > I’m okay either way. The latter is probably easier :-) > >> §3, first paragraph: How can CDNs stop their customer from modifying the header? > > That depends on what capabilities that they offer to their customers; if they allow customers to configure a header modification, they'll need to make an exception for this header field name. Doing so is common; e.g., most CDNs don't allow you to modify headers like Connection or Content-Length, because doing so would break HTTP. > Ah, maybe my confusion who the “customer” is and what it means for them to modify headers. If we are talking about customers configuring CDN settings, then it’s pretty obvious. If, OTOH, the “customers” modify headers in a client or intermediary, then things are different. From your response, I gather the former was the intent. >> ** Editorial Comments *** > [...] >> -- last paragraph: The last sentence os convoluted. Can it be broken into >> simpler sentences? > > I've rewritten to: > > """ > This specification defines the CDN-Loop HTTP request header field to help prevent such attacks and accidents among implementing forwarding CDNs, by disallowing its modification by their customers. > “"" WFM.
Received on Thursday, 20 December 2018 03:23:03 UTC