- From: Patrick Meenan <patmeenan@gmail.com>
- Date: Fri, 15 Sep 2023 06:24:31 -0400
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAJV+MGwZH1qKTbVSO2rzGw_9iwJVu9+DOqv3FJXiHWeLKidNOQ@mail.gmail.com>
The Zstandard RFC (8478 <https://www.rfc-editor.org/rfc/rfc8478>) defines the compression algorithm as well as the content-encoding that is used for HTTP. The compression algorithm itself allows for backreference window sizes up to 2 GB but there is language recommending decoders support at least up to 8 MB and encoders not generate frames requiring a window size larger than 8 MB: ----- In order to protect decoders from unreasonable memory requirements, a decoder is allowed to reject a compressed frame that requests a memory size beyond decoder's authorized range. For improved interoperability, it's recommended for decoders to support values of Window_Size up to 8 MB and for encoders not to generate frames requiring a Window_Size larger than 8 MB. It's merely a recommendation though, and decoders are free to support larger or lower limits, depending on local limitations. ----- There are a lot of use cases for Zstandard outside of http that justify the need for large window sizes but the "zstd" content encoding registration specific to http doesn't specify a limit. I'm not sure if it belongs here or in a different wg to update, but for compatibility of http clients and servers can we update the "zstd" content-encoding registration to specify a maximum window size as part of the registration? Chrome 117 has zstd support (behind a flag) with a decoder limit of 8 MB based on the recommendations (and to prevent abuse/attack) but we'd feel a lot more comfortable if the agreed-upon limit was explicit.
Received on Friday, 15 September 2023 10:24:51 UTC