Re: Structured request headers deployment issues from Yoav Weiss on 2020-06-19 (ietf-http-wg@w3.org from April to June 2020)

From: Yoav Weiss <yoav@yoav.ws>
Date: Fri, 19 Jun 2020 10:38:09 +0200
To: Mike West <mkwst@google.com>
Cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>, Ilya Grigorik <igrigorik@gmail.com>
Message-ID: <CACj=BEgSJEZ5dZjh7F98zKcT8a1nfko8i03_e=+MntWCRKggUw@mail.gmail.com>

On Fri, Jun 19, 2020 at 9:03 AM Mike West <mkwst@google.com> wrote:

> On Fri, Jun 19, 2020 at 7:13 AM Mark Nottingham <mnot@mnot.net> wrote:
>
>> > On 16 Jun 2020, at 8:15 am, Yoav Weiss <yoav@yoav.ws> wrote:
>> >
>> > Hey all,
>> >
>> > Chromium M84 (which Chrome equivalent is now in Beta) has User-Agent
>> Client Hints enabled by default, which is using Structured Headers.
>> >
>> > As a result of that, we found multiple sites which seem to have a
>> somewhat allergic reaction to the presence of certain characters (that are
>> part of the SH format) in request values.
>> > While each site in question is different (in what appears to be coming
>> from different stacks), we've seen sites that reject requests with quotes,
>> question marks or equals signs in them.
>> > It's still early, so it's hard to know how widespread the issue is, but
>> we seem to be adding sites to the list at a faster pace than the pace of
>> removing fixed ones from it.
>>
>
> Yoav, have we experimented at all with alternate spellings? Do
> single-quotes have the same impact as double-quotes, for example? Are other
> (uglier) non-alphanumeric delimiters less likely to cause trouble? There's
> a limited appetite for breakage, and it might be worth exploring alternate
> aesthetics rather than forcing through the particular spelling we like the
> most.
>

We have not. But given the fact that we've seen issues with the use of `"`,
`?` and `=` separately, I'm somewhat assuming that those separate
implementations are using an allow-list approach.
With that said, I can try to throw various values at those known-to-break
servers and see if I can come up with an alternative spelling that would
work with them. It won't give us any guarantees that these spellings would
work at scale, but it might be a good starting point...


>
> > So, I wanted to give this group a heads-up on that front, and maybe get
>> folks' opinions regarding possible things we could do on that front, other
>> than outreach and waiting for said sites to fix themselves.
>>
>> AIUI these aren't new; e.g., IIRC quite a few months ago Chrome
>> encountered several Austrian sites that had this problem, traced back to a
>> local(?) WAF vendor there. I believe that's been corrected since, after
>> reaching out to them.
>>
>
> I think you might be referring to some conversations around the
> (since-renamed) `Sec-Metadata` header in 2018, like those captured in
> https://bugs.chromium.org/p/chromium/issues/detail?id=861678#c11.
>
> Personally, I think that outreach and waiting is the right approach; if
>> browsers consistently send these headers, they'll adapt, and the numbers
>> are still relatively small -- or at least small enough that it's not likely
>> the numbers will be reduced if the syntax is changed (due to _other_ WAFs'
>> opinions about what a "good" request is).
>>
>
> The flip-side of this is that we break sites users rely upon. That's tough
> to do at scale. In this case in particular, I think I agree with the
> underlying assertion that we'd like this syntax to work, and it seems
> reasonable to me to roll it out to a small percentage of stable users. That
> said, if we end up breaking the internet for even a small percentage of
> users, it doesn't seem like a good idea to hold them hostage in the hopes
> of increasing pressure on WAF vendors.
>
> My expectation is that we'd roll this out to a small percentage of stable,
> see a spike in bug reports (especially from enterprise folks who are likely
> to have WAF deployments, unlikely to broadly deploy beta channels, and
> unlikely to choose to enable usage statistics or histograms), see a
> corresponding spike in error codes for top-level navigations, and roll it
> back.
>
> I think it might be reasonable to explore alternate spellings at the same
> time, perhaps with some A/B testing to evaluate how well each weaves its
> way through middleware.
>
> Related, we're also seeing more examples WAFs limiting how we can evolve
>> the protocol (e.g., <https://github.com/coreruleset/coreruleset/pull/1777>).
>> There's been a bit of background chatter about writing something about this
>> and creating better communication with that community; I'm not sure what
>> that will look like yet, but if anyone has ideas or is interested, please
>> say so.
>>
>
> I am interested!
>
> -mike
>

Received on Friday, 19 June 2020 08:38:40 UTC