W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2019

delivery=same-origin | Re: Formalizing the HTTP State Tokens proposal.

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Wed, 10 Apr 2019 19:59:39 +0300 (EEST)
To: HTTP Working Group <ietf-http-wg@w3.org>
CC: Mike West <mkwst@google.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Message-Id: <20190410165945.583F545C5D@welho-filter4.welho.com>

HTTP State Tokens
https://tools.ietf.org/html/draft-west-http-state-tokens-00


4.2.  The 'Sec-Http-State-Options' HTTP Header Field
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2

|   o  Exactly one member whose key is "delivery", and whose value is one
|      of the following tokens ([I-D.ietf-httpbis-header-structure],
|      Section 3.9): "same-origin", "same-site", or "cross-site".
|
|      If the "delivery" member contains an unknown identifier, the
|      member MUST be ignored.

This does not work for delivery=same-origin because 

Sec-Http-State: header field is generated on first reguest
and default is delivery=same-site.

That is before http client have seen Sec-Http-State-Options
reponse header field.


This solution is subset from my "Server/Site opt-in" suggestion
( <20190403182945.069B4C3F26@welho-filter2.welho.com>
   https://lists.w3.org/Archives/Public/ietf-http-wg/2019AprJun/0007.html

  That my "Server/Site opt-in" suggestion also needs
  some changes yet. It does not work well on subresources
  which need user opt in / opt out.
)

This solution includes also delivery=none for origins
which want mimize request size (delivery=none is not
state for user opt out).
( <20190328190729.F36474EEEA@welho-filter4.welho.com>
  https://lists.w3.org/Archives/Public/ietf-http-wg/2019JanMar/0251.html
)

On another mail I suggested to replace "same-site" with "same-domain".
I mark this now as "same-site" [or "same-domain"].
( <20190407171006.AD9EEB38@welho-filter3.welho.com> 
  https://lists.w3.org/Archives/Public/ietf-http-wg/2019AprJun/0013.html
)

This soulution  inserts
     
   Sec-HTTP-State: token=query

is request header when origin's delivery mode is not known.  This
is syntaxtically different from token which gives gives binary value
/ byte sequence because that uses * to indicate base64 encoded value.

( My some other suggestions use also

  Sec-HTTP-State: token=void

as request heaedr).



3.1.  HTTP State Tokens
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2

|   o  "delivery" specifies the initiating contexts from which the token
|      can be delivered.  It is an enum of either "same-origin", "same-
|      site", or "cross-site".  Unless otherwise specified, its value is
|      "same-site".

⇒

----
    o  "delivery" specifies the initiating contexts from which the token
       can be delivered.  It is an enum of either "query", "none", 
       "same-origin", "same-site" [or "same-domain"], or "cross-site".  
       Unless otherwise specified, its value is "query".
----

3.3.1.  Generate an HTTP State Token for an origin
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-3.3.1

|   2.  Let "token" be a newly created HTTP State Token with its
|       properties set as follows:
|
|       *  "creation": The current time.
|
|       *  "delivery": "same-site"

⇒

----

       *  "delivery": "query"

----

|       *  "key": null
|
|       *  "max-age": 3600
|
|
|       *  "value": 256 cryptographically random bits.


4.1.  The 'Sec-Http-State' HTTP Header Field
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.1

   
|   o  Exactly one member whose key is "token", and whose value is binary
|      content ([I-D.ietf-httpbis-header-structure], Section 3.9) that
|      encodes the HTTP state token's value for the origin to which the
|      header is delivered.
|
|      If the "token" member contains more than 256 bits of binary
|      content, the member MUST be ignored.


⇒

----

   o  Exactly one member whose key is "token". Value of this key
      is either a byte sequence (sh-binary, 
      [draft-ietf-httpbis-header-structure-09], Section 3.10) or a 
      token (sh-token, [draft-ietf-httpbis-header-structure-09], Section 3.9).

      The byte sequence encodes the HTTP state token's value for the origin to which the
      header is delivered. This is a binary content.

      If the "token" member contains more than 256 bits of binary
      content, the member MUST be ignored.
   
      The token value (as sh-token) is "query". This indicates that
      http client supports HTTP state tokens, but needs value
      for "deliver".

---- 

      ( On my other suggestions include token value (as sh-token) 
        which is "void". It also indicates that
        http client supports HTTP state tokens, but a binary content
        could not deliver. )

4.2.  The 'Sec-Http-State-Options' HTTP Header Field
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2

|   o  Exactly one member whose key is "delivery", and whose value is one
|      of the following tokens ([I-D.ietf-httpbis-header-structure],
|      Section 3.9): "same-origin", "same-site", or "cross-site".

⇒

----

   o  Exactly one member whose key is "delivery", and whose value is one
      of the following tokens ([draft-ietf-httpbis-header-structure-09],
      Section 3.9): "none", "same-origin", "same-site" [or "same-domain"], 
      or "cross-site".

      Note: "delivery"'s value "query" is initial value for metadata
            and not allowed on "Sec-Http-State" response header.

----


5.1.  Attach HTTP State Tokens to a request
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-5.1

   5a.  If "request-token"'s "delivery" is "null", then skip the remaining steps in
        this algorithm, and return without modifying the request.


   5b.  If "request-token"'s "delivery" is "query", then:

        1. The user agent MAY omit generating Sec-Http-State: request
           header if it determines that origin does not support
           HTTP State Tokens.

           It is not required that all URL's for the origin
           responds with Sec-Http-State: response header
           for query.

        Note: Sec-Http-State: response header for query 
              may be genrated only for certain URLs
              (for example login and/or front page's
               URLs).

        2.  Insert a member into "header-value" whose key is "token" and
            value is "query" (using sh-token syntax).

        3. Skip the remaining steps in this algorithm.


|      8.   Insert a member into "header-value" whose key is "token" and
|        whose value is "serialized-value".

⇒

----
       
   8.   Insert a member into "header-value" whose key is "token" and
        whose value is "serialized-value" (using sh-binary syntax).

-----


6.  Configuring HTTP State Tokens
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-6


|           +  "header" has a member named "delivery" whose value is not
|              one of the following tokens (Section 3.9 of
|              [I-D.ietf-httpbis-header-structure]): "same-origin",
|              "same-site", and "cross-site".

⇒

----

           +  "header" has a member named "delivery" whose value is not
              one of the following tokens (Section 3.9 of
              [I-D.ietf-httpbis-header-structure]): "none", "same-origin",
              "same-site" [or "same-domain"], and "cross-site".
----

/ Kari Hurtta
Received on Wednesday, 10 April 2019 17:00:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:34 UTC