- From: Martin Thomson <mt@lowentropy.net>
- Date: Fri, 26 Jan 2024 09:40:15 +1100
- To: "Tommy Pauly" <tpauly@apple.com>, "HTTP Working Group" <ietf-http-wg@w3.org>
Yes, we should adopt it. Maybe the first thing we should do is add a clear description of what a client OR server can do to avoid the problems. The server treating Upgrade as implying Connection: close might be a good start, counter to what Section 4 currently says. We should not be recommending mitigations that only one affected party can deploy. On Wed, Jan 24, 2024, at 04:41, Tommy Pauly wrote: > Hello HTTP, > > This email starts a working group adoption call for "Security > Considerations for Optimistic Use of HTTP Upgradeā, > draft-schwartz-httpbis-optimistic-upgrade. Notably, this updates RFC > 9298 (connect-udp, which was produced by the MASQUE WG) on how to > handle HTTP Upgrade, including to disallow optimistic data sending for > HTTP/1.1. > > The document can be found here: > > https://datatracker.ietf.org/doc/draft-schwartz-httpbis-optimistic-upgrade/ > https://www.ietf.org/archive/id/draft-schwartz-httpbis-optimistic-upgrade-00.html > > This adoption call will last for 3 weeks, until *Tuesday, February 13*. > Please reply to this email with your reviews and comments, and whether > or not you think HTTPBIS should adopt this draft. > > Thanks, > Tommy
Received on Thursday, 25 January 2024 22:40:43 UTC