- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Mon, 16 Aug 2021 17:03:17 +1200
- To: ietf-http-wg@w3.org
On 16/08/21 2:45 pm, Kazuho Oku wrote: > Mark, Alex, > > Thank you for your comments. I think your concern regarding > intermediaries is legitimate. > > One way of moving forward would be to say that intermediaries should not > forward the self-trace request. IIUC, we already have a precedent that > requires some intercepting proxies modify the request-response: when > expect-ct: enforce is being used, an intercepting proxy (typically using > a certificate not registered to CT) has to drop that response header, > otherwise the browser would refuse to reconnect. > > Though, the problem here might be lack of incentive. While intercepting > proxies would be incentivized to drop expect-ct (if they see errors due > to the header being forwarded), there would be no incentive for them to > add code for rejecting self-trace requests. > > That said, if we are to adopt MT's proposal (i.e., use a response header > for indicating the location of the trace), then probably we would have > better alignment because it would be about having a list of response > headers that an intercepting proxy might want to drop (i.e. except-ct > and the trace header). > > The other option would be to add a H3 settings frame that indicates that > the endpoint is an end-client. Though I would prefer having a tracing > scheme that does not require changes to endpoints. > IMO a mechanism that uses Client-Hints to modify the response type of TRACE method would meet requirements of this feature better than .well-known URIs. The TRACE mechanism has existed in HTTP since 1.1 so all agents should be able to support it cleanly by now. Agents not implementing the new mechanism will "fallback" to responding with details of what the responding server sees arriving: Via, Forwarded traces etc. Which may be of some use for troubleshooting even in absence of the self-trace information. Client-Hints comes with most HTTP handling behaviours pre-defined, so should not need re-defining for this new mechanism. Amos
Received on Monday, 16 August 2021 05:07:18 UTC