- From: Toerless Eckert <tte@cs.fau.de>
- Date: Thu, 22 Feb 2024 02:04:24 +0100
- To: David Schinazi <dschinazi.ietf@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Feb 20, 2024 at 08:53:11PM -0800, David Schinazi wrote:
> Hi HTTP enthusiasts,
>
> [I'm creating a separate thread from [1] to avoid further cross-posting.]
Personally i think a topic that equally affects two WG is perfect for cross-pposting,
because without it, we have to throw information back and forth and likely miss
important input from the other side. RFC6874(bis) is an example of what happens then.
But i understand there is some history of (misguided ?) people considering cross-posting evil.
Thanks for for writing the draft. I have an ongoing doc with comments etc. for it,
hopefully can finish soon.
In general we do of course need to do everything we can do with (m)DNS, but i fear
several cases people wrote rfc6874 for will not work with DNS. I also think
those cases are not well communicated, and they certainly are for the overall
business of the core internet browsers not very large. Nevertheless, that business
side i think shouldn't stay in the way of an RFC like rfc6874(bis) because everybody
is free to ignore when threre is not enough business, and there are more lightweight
implementation options i think, such as plugins. But technical insufficiencies on the
other hand need to be be fixed so we have the best option if and when it is needed.
To that end one high level education question about the origin concept:
It seems one of the expectations of origin is that you expect for the hostname
portion of URLs (or at least https URLS) to be of more than local significance
to uniquely identify an http(s) entity (ideally globall unique).
What is the most simple and widely used example for this, e.g.: an example of
something breaking when that hostname portion is not unique ? Is this already a problem
in the face of two parties or just three or more ? Pointer to any existing example text
would be fine.
I am asking, because there are a lot more than link-local-ipv6 addresses that
do not have global significance. Most widely used of course are IPv4 RFC1918
addresses. So i wonder why there wouldn't be the same origin issue about origin
with them.
E.g.: i am running a client side javascript and my system has an rfc1918 address
(192.168.1.2), my javascript pass this ip address back to the web server in the internet,
that server know what to do with it - unreachable. And of course that web server
could get millions of clients all with the same rfc1918 address 192.168.1.2 - and
they're all different entities/origins.
Cheers
Toerless
> Some of you might have seen various discussions around the use of IPv6
> link-local addresses (such as fe80::1234%eth0) in Web browsers. In
> particular, RFC 6874 had added a way to represent these addresses in URIs.
> I wasn't involved back then but the published RFC ended up being something
> that was quite complex to implement safely in browsers, so it didn't get
> wide support. More recently, draft-ietf-6man-rfc6874bis attempted to create
> a new URI format for such addresses. Oddly, I didn't see it ever discussed
> on this list. That draft had other issues in terms of how it handled the
> Web security model, and ultimately there hasn't been consensus to publish
> it.
>
> I think it would be great for us to obsolete RFC 6874 and instead recommend
> a solution that already works with every browser today: mDNS. So I wrote a
> draft that does that:
>
> https://datatracker.ietf.org/doc/draft-schinazi-httpbis-link-local-uri-bcp/
>
> I'd love to get your thoughts on it!
>
> Thanks,
> David
>
>
> [1] https://lists.w3.org/Archives/Public/ietf-http-wg/2024JanMar/0111.html
--
---
tte@cs.fau.de
Received on Thursday, 22 February 2024 01:04:33 UTC