Re: 103 Early Hints from Lucas Pardue on 2024-09-25 (ietf-http-wg@w3.org from July to September 2024)

From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Wed, 25 Sep 2024 20:17:14 +0100
To: "Glenn Strauss" <gs-lists-ietf-http-wg@gluelogic.com>
Cc: "Mark Nottingham" <mnot@mnot.net>, "Kazuho Oku" <kazuhooku@gmail.com>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <d83765ee-00b0-41d9-82d9-d67da0e75a3f@app.fastmail.com>
Hey Glenn

On Wed, Sep 25, 2024, at 03:44, Glenn Strauss wrote:
> Lucas wrote:
> > There was also some chatter about highlighting deployment considerations about HTTP versions (i.e. it's fine for H2/3 but experience has shown that H1 can be problematic). I tend to agree with that. But I'm not sure the best sort of text to capture it, do we have any other examples of such a consideration?
> 
> There is a note in RFC8297 Security Considerations section:
> https://www.rfc-editor.org/rfc/rfc8297.html#section-3
> Lucas, is there more that you would like to add?

I had forgotten about that note, so thanks for the pointer! I wonder of others have forgotten too.

I'm not 100% sure what additional text might be good but to throw some opinions out...

The RFC text says

   Some clients might have issues handling a 103 (Early Hints) response,
   because informational responses are rarely used in reply to requests
   not including an Expect header field ([RFC7231], Section 5.1.1).

   In particular, an HTTP/1.1 client that mishandles an informational
   response as a final response is likely to consider all responses to
   the succeeding requests sent over the same connection to be part of
   the final response.  Such behavior might constitute a cross-origin
   information disclosure vulnerability in case the client multiplexes
   requests to different origins onto a single persistent connection.

   Therefore, a server might refrain from sending 103 (Early Hints)
   responses over HTTP/1.1 unless the client is known to handle
   informational responses correctly.

   HTTP/2 clients are less likely to suffer from incorrect framing since
   handling of the response header fields does not affect how the end of
   the response body is determined.


I think what this _might_ be overlooking is that the server might think it understands the client capabilities but that failures can happen when expectations fail. That could even happen when using HTTP/2 or HTTP/3 (although evidence suggests that HTTP/1.x client are particularly problematic for 1xx support *and* they migh trigger a security problem.

The failure cases I've seen ocurred with intermediaries. Even if we tried to UA sniff, there could be some proxy in the middle that is passing through indicators and we can't detect it. I've also seen the opposite, where an H2 proxy client spoke to an upstream CDN that emitted early hints and triggered a bug in the non-final response handling of the library (that bug was fixed pretty quick though and is no longer a problem). 

So as I write this, I'm looking at RFC 8297 and it doesn't really have much to say about intermediaries. Section 1 states:

> The informational response can also be used by an
   origin server to trigger HTTP/2 server push at a caching
   intermediary.

Not sure that's something we want to include when promoting from experimental?

Perhaps intermediares are an area where more deployment experience could be captured, in addition to the concrete security considerations already present. 

Finally, the treatment in this document on non-final responses that are not the Expect: 100-continue was unique in 2017 when 103 was forging ground. However, we now have things like resumable uploads that are using 104. Maybe there'll be some more in future. The considerations about when its safe./suitable to emit non-100 non-final responses probably applies equally to them all. So perhaps we should be thinking of extracting out the common bits into a standalone document. I appreciate that's more upfront work but might make it easier to make more robust HTTP extensions in the longer run.

Cheers
Lucas

> 
> I support advancing RFC 8297 from Experimental to Proposed Standard.
> 
> Since lighttpd 1.4.72, 103 Early Hints is employed by the lighttpd
> mod_dirlisting application when generating listings of large directories
> and when a separate link is configured for CSS or JS of the resulting
> page.  In that scenario, lighttpd mod_dirlisting sends 103 Early Hints,
> but only for HTTP/2 and later; not for HTTP/1.x.
> 
> Cheers, Glenn
> 
> On Wed, Sep 25, 2024 at 01:40:12AM +0100, Lucas Pardue wrote:
> > Hey,
> > 
> > On Wed, Sep 25, 2024, at 00:43, Mark Nottingham wrote:
> > > I'm CC:ing Kazuho because I talked to him about updating 8297 from Experimental to Proposed Standard at a recent IETF.*
> > > 
> > > Given the discussion below and responses to it (which I'd characterise as supportive), is anyone willing to submit a draft for the WG to consider here? Otherwise, we can request that the IESG update the status of the RFC without a draft.
> > 
> > My initial email proposed a few things. To clarify, my interpretation of the thread was that there was some support for changing it from experimental. 
> > 
> > However, there was not support for adding a new client ssignal.which is fine by me.
> > 
> > There was also some chatter about highlighting deployment considerations about HTTP versions (i.e. it's fine for H2/3 but experience has shown that H1 can be problematic). I tend to agree with that. But I'm not sure the best sort of text to capture it, do we have any other examples of such a consideration?
> > 
> > Am happy to help things but the natural pen holder would IMO be Kazuho still.
> > 
> > Cheers
> > Lucas
> > 
> > > 
> > > Cheers,
> > > 
> > > 
> > > * No, I don't remember which one.
> > > 
> > > 
> > > > On 10 Jun 2023, at 12:09 pm, Lucas Pardue <lucaspardue.24.7@gmail.com> wrote:
> > > > 
> > > > Hi folks,
> > > > 
> > > > RFC 8297, defining 103 Early Hints was published in 2017. It's been a bit of a sleeper hit, in the last 18 months or so we've seen uptake and deployment on client and server sides. 
> > > > 
> > > > As is natural, we've been gaining experience through deployment. Helping to identify the areas with Early Hints helps, and areas where there might be some possible tweaks. One example is that it isn't always useful to emit a 103 Early Hint in response to every request that is received, because the client's processing context would ignore it.
> > > > 
> > > > Client Hints (RFC 8942) has some text that deals with considerations we are now learning about Early Hints. For instance, a server could emit an Accept-CH header, and Section 5 of RFC 8942 describes considerations for the cost of sending Client Hints.
> > > > 
> > > > After some chatter on Twitter the past week, a few different people suggested that something like an Accept-EH request header field might be useful to help clients to indicate when Early Hints are useful or not. If we made this a list of field names, it could allow some tailoring of the emission and content of the hints.
> > > > 
> > > > My thinking was maybe its time to upgrade Early Hints from experimental and roll in some of the learnings / proposals into the update document.
> > > > 
> > > > Thoughts?
> > > > 
> > > > Cheers,
> > > > Lucas
> > > 
> > > --
> > > Mark Nottingham   https://www.mnot.net/
> > > 
> > > 
> > > 
> 
>
Received on Wednesday, 25 September 2024 19:17:39 UTC