Re: Robert Wilton's No Objection on draft-ietf-httpbis-header-structure-18: (with COMMENT) from Mark Nottingham on 2020-05-21 (ietf-http-wg@w3.org from April to June 2020)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 21 May 2020 12:34:26 +1000
To: Robert Wilton <rwilton@cisco.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-header-structure@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, Tommy Pauly <tpauly@apple.com>
Message-Id: <4C766CCA-1F19-4088-9138-A9387580C4F2@mnot.net>

Hi Rob,

Thanks for the feedback. The commit mentioned below is <https://github.com/httpwg/http-extensions/commit/5eb50dafa>.

> On 21 May 2020, at 12:16 am, Robert Wilton via Datatracker <noreply@ietf.org> wrote:
> 
> However, my main comment (which possibly could have been a discuss) questions
> how this is specified.  In my experience other specifications of encodings
> define exactly what the format the encoding must take, but leave it up to
> implementation to decide how to perform that encoding.  Whereas this document
> specifies the format in 3 ways: (i) as a prose description of the format, (ii)
> as an ABNF description of the format, (iii) as a pair of algorithms that
> construct or parse the format.  I would prefer for the ANBF to be definitive
> along with prose to describe/refine the ANBF as required.  For the algorithms,
> I would have preferred that they are held in the appendix as non-normative text
> that provides a description of one possible method of writing the serialization
> or parsing code.  The corner cases that the algorithm cover could be in the
> normative prose/ABNF description.  I appreciate that this would be a
> significant change to the document and hence will leave it to
> authors/responsible AD to decide whether to process or ignore this comment.

There's a fair bit of history here. HTTP headers have typically been defined using ABNF as you suggest. That has led to a number of interoperability (and often security) problems, because the vast majority people don't write ABNF-based parsers or serialisers; they manually interpret the ABNF, prose and examples and write a bespoke parser and serialiser. These issues are exacerbated by the relatively diffuse pool of new field authors (people mint HTTP headers outside the IETF on a regular basis, for a large variety of reasons), and by the even more diffuse pool of people who actually send headers (people writing .htaccess files in Apache, people writing PHP and CGI scripts, people sending a header in XmlHttpRequest or Fetch, etc.). 

All of this led us to try a different approach - specifying parsing and serialisation via pseudo-code. This is the way that the WHATWG writes their specifications (including HTML and Fetch), and it's arguably improved interoperability for Web developers -- which is also our audience -- considerably.

The ABNF is included mostly to make folks who are used to thinking of HTTP fields in those terms more comfortable. As we've seen during the IESG evaluation, that's led to some confusion, so the most recent changes have attempted to make the status of the ABNF more clear.

> A few other comments on particular sections that I noted:
> 
> 1.2.  Notational Conventions
> 
>   When parsing from HTTP fields, implementations MUST follow the
>   algorithms, but MAY vary in implementation so as the behaviors are
>   indistinguishable from specified behavior.
> 
> I find that sentence slightly strange in that the first part of the sentence
> states that your MUST follow the algorithm, and the second part states that you
> don't have to follow the algorithm.  It might be more clear if this was worded
> differently.  E.g. MUST have behavior that is indistinguishable from that
> produced by the algorithm.

Thank you, that's good wording. See the commit.

> 3.1  Lists:
> 
>   An empty List is denoted by not serializing the field at all.
> 
> This was slightly unclear to me.  Does this mean that it isn't possible to
> distinguish between not providing the header and providing an empty list? 
> Possibly it might be worth clarifying this here, although I note that it does
> become clear what the expected behavior is later in the document.

This has been clarified as a result of other comments.

> 3.2.  Dictionaries
> 
>   Dictionaries are ordered maps of name-value pairs, where the names
>   are short, textual strings
> 
> "short, textual" => short textual"
> 
> It might also be helpful to explicitly state what the ordering is (i.e. I
> presume that it is the order that they are listed in the request)

In the commit.

> 3.3.1 Integers
> Are "00" "01" "-0", "-01" all allowed?

They're all allowed in the serialisation, but aren't necessarily distinct in the data model. Do you (and others) think it's worth mentioning here?

> 3.3.6.  Booleans
> Should this cover the fact that if the boolean value is not present it is
> interpreted as true in a parameter or dictionary?  E.g. as per the description
> in the parameter and dictionaries sections?

That's a good clarification; in the commit.

Cheers,

--
Mark Nottingham   https://www.mnot.net/

Received on Thursday, 21 May 2020 02:34:51 UTC