Re: Compression dictionary draft ID - draft-meenan-httpbis-compression-dictionary-00

Hi Pat,

On Sat, Jul 1, 2023, at 03:30, Patrick Meenan wrote:
>  The spec is hopefully written in such a way that it is not specific to 
> the browser use case but does have some additional carve-outs for some 
> of the browser-specific privacy concerns.

Given how delicate the security constraints are, this is probably insufficient:

> In these cases, dictionary compression MUST only be used when both the dictionary and the compressed response are fully readable by the client.

You previously said "clients, like web browsers", but I think that this is an error.  That's especially important given that this is your primary security mechanism.

In a multi-tenant environment like the web, this needs to be very carefully - and fully - specified.  Could an image loaded by a page from a cross-site origin use this mechanism?

(I also see a bunch of formatting issues in the draft, but those are of less consequence.  Maybe I can recommend checking that the output matches expectations before publishing the next version.)

Received on Tuesday, 4 July 2023 02:10:58 UTC