Structured request headers deployment issues from Yoav Weiss on 2020-06-15 (ietf-http-wg@w3.org from April to June 2020)

From: Yoav Weiss <yoav@yoav.ws>
Date: Tue, 16 Jun 2020 00:15:06 +0200
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Cc: Mark Nottingham <mnot@mnot.net>, Tommy Pauly <tpauly@apple.com>, Ilya Grigorik <igrigorik@gmail.com>, Mike West <mkwst@google.com>
Message-ID: <CACj=BEiT7GnKeS_2wFK8jL0jUFtFYoX-wvXnSsPO4nYJ5P=2bQ@mail.gmail.com>

Hey all,

Chromium M84 (which Chrome equivalent is now in Beta) has User-Agent Client
Hints enabled by default, which is using Structured Headers.

As a result of that, we found multiple sites
<https://bugs.chromium.org/p/chromium/issues/detail?id=1091285> which seem
to have a somewhat allergic reaction to the presence of certain characters
(that are part of the SH format) in request values.
While each site in question is different (in what appears to be coming from
different stacks), we've seen sites that reject requests with quotes,
question marks or equals signs in them.
It's still early, so it's hard to know how widespread the issue is, but we
seem to be adding sites to the list at a faster pace than the pace of
removing fixed ones from it.

So, I wanted to give this group a heads-up on that front, and maybe get
folks' opinions regarding possible things we could do on that front, other
than outreach and waiting for said sites to fix themselves.

Cheers,
Yoav

Received on Monday, 15 June 2020 22:15:38 UTC