- From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
- Date: Thu, 28 Mar 2019 21:07:23 +0200 (EET)
- To: HTTP Working Group <ietf-http-wg@w3.org>
- CC: Mike West <mkwst@google.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
5.1. Attach HTTP State Tokens to a request
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-5.1
So Sec-Http-State header field is added also to requests for static sites, which do not need state.
Setting
Sec-Http-State-Options: delivery=same-origin
sure help reduce extra Sec-Http-State: header fields to be sent
(for example static resources which are references on html page,
if they use another origin.)
However I suggest
Sec-Http-State-Options: delivery=none
so that static site can opt-out that request header.
Perhaps make sense also to defined other member for "Sec-Http-State-Options" header
dictionary, which controls which elements ('image', 'iframe', 'script', 'audio'
and so on) cause Sec-Http-State: header field added to request when correspond resource
is retrieved. This is additional constrain (also "delivery" is in force).
Idea is further reduce http request size.
/ Kari Hurtta
Received on Thursday, 28 March 2019 19:07:54 UTC