- From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
- Date: Wed, 10 Apr 2019 19:59:39 +0300 (EEST)
- To: HTTP Working Group <ietf-http-wg@w3.org>
- CC: Mike West <mkwst@google.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
HTTP State Tokens
https://tools.ietf.org/html/draft-west-http-state-tokens-00
4.2. The 'Sec-Http-State-Options' HTTP Header Field
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2
| o Exactly one member whose key is "delivery", and whose value is one
| of the following tokens ([I-D.ietf-httpbis-header-structure],
| Section 3.9): "same-origin", "same-site", or "cross-site".
|
| If the "delivery" member contains an unknown identifier, the
| member MUST be ignored.
This does not work for delivery=same-origin because
Sec-Http-State: header field is generated on first reguest
and default is delivery=same-site.
That is before http client have seen Sec-Http-State-Options
reponse header field.
This solution is subset from my "Server/Site opt-in" suggestion
( <20190403182945.069B4C3F26@welho-filter2.welho.com>
https://lists.w3.org/Archives/Public/ietf-http-wg/2019AprJun/0007.html
That my "Server/Site opt-in" suggestion also needs
some changes yet. It does not work well on subresources
which need user opt in / opt out.
)
This solution includes also delivery=none for origins
which want mimize request size (delivery=none is not
state for user opt out).
( <20190328190729.F36474EEEA@welho-filter4.welho.com>
https://lists.w3.org/Archives/Public/ietf-http-wg/2019JanMar/0251.html
)
On another mail I suggested to replace "same-site" with "same-domain".
I mark this now as "same-site" [or "same-domain"].
( <20190407171006.AD9EEB38@welho-filter3.welho.com>
https://lists.w3.org/Archives/Public/ietf-http-wg/2019AprJun/0013.html
)
This soulution inserts
Sec-HTTP-State: token=query
is request header when origin's delivery mode is not known. This
is syntaxtically different from token which gives gives binary value
/ byte sequence because that uses * to indicate base64 encoded value.
( My some other suggestions use also
Sec-HTTP-State: token=void
as request heaedr).
3.1. HTTP State Tokens
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2
| o "delivery" specifies the initiating contexts from which the token
| can be delivered. It is an enum of either "same-origin", "same-
| site", or "cross-site". Unless otherwise specified, its value is
| "same-site".
⇒
----
o "delivery" specifies the initiating contexts from which the token
can be delivered. It is an enum of either "query", "none",
"same-origin", "same-site" [or "same-domain"], or "cross-site".
Unless otherwise specified, its value is "query".
----
3.3.1. Generate an HTTP State Token for an origin
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-3.3.1
| 2. Let "token" be a newly created HTTP State Token with its
| properties set as follows:
|
| * "creation": The current time.
|
| * "delivery": "same-site"
⇒
----
* "delivery": "query"
----
| * "key": null
|
| * "max-age": 3600
|
|
| * "value": 256 cryptographically random bits.
4.1. The 'Sec-Http-State' HTTP Header Field
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.1
| o Exactly one member whose key is "token", and whose value is binary
| content ([I-D.ietf-httpbis-header-structure], Section 3.9) that
| encodes the HTTP state token's value for the origin to which the
| header is delivered.
|
| If the "token" member contains more than 256 bits of binary
| content, the member MUST be ignored.
⇒
----
o Exactly one member whose key is "token". Value of this key
is either a byte sequence (sh-binary,
[draft-ietf-httpbis-header-structure-09], Section 3.10) or a
token (sh-token, [draft-ietf-httpbis-header-structure-09], Section 3.9).
The byte sequence encodes the HTTP state token's value for the origin to which the
header is delivered. This is a binary content.
If the "token" member contains more than 256 bits of binary
content, the member MUST be ignored.
The token value (as sh-token) is "query". This indicates that
http client supports HTTP state tokens, but needs value
for "deliver".
----
( On my other suggestions include token value (as sh-token)
which is "void". It also indicates that
http client supports HTTP state tokens, but a binary content
could not deliver. )
4.2. The 'Sec-Http-State-Options' HTTP Header Field
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-4.2
| o Exactly one member whose key is "delivery", and whose value is one
| of the following tokens ([I-D.ietf-httpbis-header-structure],
| Section 3.9): "same-origin", "same-site", or "cross-site".
⇒
----
o Exactly one member whose key is "delivery", and whose value is one
of the following tokens ([draft-ietf-httpbis-header-structure-09],
Section 3.9): "none", "same-origin", "same-site" [or "same-domain"],
or "cross-site".
Note: "delivery"'s value "query" is initial value for metadata
and not allowed on "Sec-Http-State" response header.
----
5.1. Attach HTTP State Tokens to a request
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-5.1
5a. If "request-token"'s "delivery" is "null", then skip the remaining steps in
this algorithm, and return without modifying the request.
5b. If "request-token"'s "delivery" is "query", then:
1. The user agent MAY omit generating Sec-Http-State: request
header if it determines that origin does not support
HTTP State Tokens.
It is not required that all URL's for the origin
responds with Sec-Http-State: response header
for query.
Note: Sec-Http-State: response header for query
may be genrated only for certain URLs
(for example login and/or front page's
URLs).
2. Insert a member into "header-value" whose key is "token" and
value is "query" (using sh-token syntax).
3. Skip the remaining steps in this algorithm.
| 8. Insert a member into "header-value" whose key is "token" and
| whose value is "serialized-value".
⇒
----
8. Insert a member into "header-value" whose key is "token" and
whose value is "serialized-value" (using sh-binary syntax).
-----
6. Configuring HTTP State Tokens
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-6
| + "header" has a member named "delivery" whose value is not
| one of the following tokens (Section 3.9 of
| [I-D.ietf-httpbis-header-structure]): "same-origin",
| "same-site", and "cross-site".
⇒
----
+ "header" has a member named "delivery" whose value is not
one of the following tokens (Section 3.9 of
[I-D.ietf-httpbis-header-structure]): "none", "same-origin",
"same-site" [or "same-domain"], and "cross-site".
----
/ Kari Hurtta
Received on Wednesday, 10 April 2019 17:00:13 UTC