Re: HTTP zstd accept-encoding window size from Patrick Meenan on 2023-09-15 (ietf-http-wg@w3.org from July to September 2023)

From: Patrick Meenan <patmeenan@gmail.com>
Date: Fri, 15 Sep 2023 06:44:58 -0400
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAJV+MGysWK5sJXZOP7L5rsyTgZXcHefN35Ec9-=uGXOuD_Vpbw@mail.gmail.com>

Looks like there was discussion on this back in 2021 (sorry for kicking it
off again):
https://lists.w3.org/Archives/Public/ietf-http-wg/2021JulSep/0137.html

We're happy to support some way to be more explicit about negotiated limits
however it is defined (though there is a bit of concern about too many
variations causing cache issues with "vary" for middleboxes).  As things
stand right now, we'll document that Chrome supports zstd with window sizes
up to 8 MB and will reset any streams that try to use larger window sizes.
It doesn't feel great for there to be a breaking implicit limit though.

On Fri, Sep 15, 2023 at 6:24 AM Patrick Meenan <patmeenan@gmail.com> wrote:

> The Zstandard RFC (8478 <https://www.rfc-editor.org/rfc/rfc8478>) defines
> the compression algorithm as well as the content-encoding that is used for
> HTTP.
>
> The compression algorithm itself allows for backreference window sizes up
> to 2 GB but there is language recommending decoders support at least up to
> 8 MB and encoders not generate frames requiring a window size larger than 8
> MB:
>
> -----
>
>    In order to protect decoders from unreasonable memory requirements, a
>    decoder is allowed to reject a compressed frame that requests a
>    memory size beyond decoder's authorized range.
>
>    For improved interoperability, it's recommended for decoders to
>    support values of Window_Size up to 8 MB and for encoders not to
>    generate frames requiring a Window_Size larger than 8 MB.  It's
>    merely a recommendation though, and decoders are free to support
>    larger or lower limits, depending on local limitations.
>
> -----
>
> There are a lot of use cases for Zstandard outside of http that justify
> the need for large window sizes but the "zstd" content encoding
> registration specific to http doesn't specify a limit.
>
> I'm not sure if it belongs here or in a different wg to update, but for
> compatibility of http clients and servers can we update the "zstd"
> content-encoding registration to specify a maximum window size as part of
> the registration?
>
> Chrome 117 has zstd support (behind a flag) with a decoder limit of 8 MB
> based on the recommendations (and to prevent abuse/attack) but we'd feel a
> lot more comfortable if the agreed-upon limit was explicit.
>

Received on Friday, 15 September 2023 10:45:15 UTC