- From: Martin Thomson <mt@lowentropy.net>
- Date: Tue, 04 Jul 2023 12:10:29 +1000
- To: ietf-http-wg@w3.org
Hi Pat, On Sat, Jul 1, 2023, at 03:30, Patrick Meenan wrote: > The spec is hopefully written in such a way that it is not specific to > the browser use case but does have some additional carve-outs for some > of the browser-specific privacy concerns. Given how delicate the security constraints are, this is probably insufficient: > In these cases, dictionary compression MUST only be used when both the dictionary and the compressed response are fully readable by the client. You previously said "clients, like web browsers", but I think that this is an error. That's especially important given that this is your primary security mechanism. In a multi-tenant environment like the web, this needs to be very carefully - and fully - specified. Could an image loaded by a page from a cross-site origin use this mechanism? (I also see a bunch of formatting issues in the draft, but those are of less consequence. Maybe I can recommend checking that the output matches expectations before publishing the next version.)
Received on Tuesday, 4 July 2023 02:10:58 UTC