Re: Proposal adaptation request from Yoav Weiss on 2025-04-30 (ietf-http-wg@w3.org from April to June 2025)

From: Yoav Weiss <yoav.weiss@shopify.com>
Date: Wed, 30 Apr 2025 07:27:50 +0200
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Guohui Deng <guohuideng@microsoft.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CALYmMaeFGyzVjOs2ygZt7--x-K1B-eHr6o+43OOLWUOdREOupg@mail.gmail.com>
On Tue, Apr 29, 2025 at 1:47 AM Roy T. Fielding <fielding@gbiv.com> wrote:

> I don't think it is appropriate to restrict HTTP (reserve a bogus
> "unknown" content coding) just because one extension to an internal API
> might want to indicate a non-registered value has been received without
> actually storing a potential attacker-provided value.
>
> The simplest alternative would be to store a non-HTTP value that cannot be
> registered (like "_").
>

Using "_" seems reasonable, thanks!


> A more reasonable solution would be to understand that
> PerformanceResourceTiming is not an appropriate API for collecting encoding
> information. If you want to know if a fetched "resource" was decoded, then
> compare the two body lengths that are already stored for that purpose
> (encoded size and decoded size).
>
> Determining "how" the resource was encoded is not
> PerformanceResourceTiming, IMO.
> [An origin can determine that from the body size.]
>

Why?
Knowing whether a resource was encoded a certain way is critical to enable
developers to detect encoding mistakes and fix them.


>
> ....Roy
>
>
> On Apr 28, 2025, at 2:29 PM, Guohui Deng <guohuideng@microsoft.com> wrote:
>
> Greetings!
>
> I would like to request the doc mentioned below to be considered for
> adaptation.
>
> Reason for this proposal:
>
> A new field contentEncoding is proposed(
> https://github.com/whatwg/fetch/pull/1796)
>  to be added to PerformanceResourceTiming(
> https://www.w3.org/TR/resource-timing/).
>  This field explicitly exposes the content encoding value in the http
> response that
>  delivered the resource.  This value is beneficial to web sites' and CDNs'
> content
>  delivery optimization, analytics and debugging.
>
> To ensure that the contentEncoding in PerformanceResourceTiming doesn't
> become a side
>  channel, all arbitrary values that are not recognized or supported are
> converted to
>  unknown before exposed in PerformanceResourceTiming. This conversion
> requires that the
>  original value cannot be unknown.
>
> Therefore, this doc proposes a new reserved value unknown for the HTTP
> protocol parameter
> content coding.. A content coding value cannot be unknown.
>
>
> Warm regards,
> Guohui
>
> ------------------------------
> *From:* internet-drafts@ietf.org
> *Sent:* Friday, April 25, 2025 9:27 AM
> *To:* Guohui Deng
> *Subject:* [EXTERNAL] New Version Notification for
> draft-deng-httpbis-unknown-content-coding-00.txt
>
>
> A new version of Internet-Draft
> draft-deng-httpbis-unknown-content-coding-00.txt has been successfully
> submitted by Guohui Deng and posted to the
> IETF repository.
>
> Name:     draft-deng-httpbis-unknown-content-coding
> Revision: 00
> Title:    Register a new reserved content coding value
> Date:     2025-04-23
> Group:    Individual Submission
> Pages:    3
> URL:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-deng-httpbis-unknown-content-coding-00.txt&data=05%7C02%7Cguohuideng%40microsoft.com%7C7736da90b9994adb7a5908dd840dc201%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638811916843736505%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=2ugM6recUnsGRGd3vfA%2FHHoOoihq7AIBD6c3WCQ4p38%3D&reserved=0
> <https://www.ietf.org/archive/id/draft-deng-httpbis-unknown-content-coding-00.txt>
> Status:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-deng-httpbis-unknown-content-coding%2F&data=05%7C02%7Cguohuideng%40microsoft.com%7C7736da90b9994adb7a5908dd840dc201%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638811916843760376%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=3SIKAZtPIUWyxYNFCWf6V3WYDp%2BNA%2FcK0jMWdVR7sEc%3D&reserved=0
> <https://datatracker.ietf.org/doc/draft-deng-httpbis-unknown-content-coding/>
> HTMLized:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-deng-httpbis-unknown-content-coding&data=05%7C02%7Cguohuideng%40microsoft.com%7C7736da90b9994adb7a5908dd840dc201%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638811916843773997%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=LvWphsxMZKfSWk5qqvAwAsg8yStFfCtiBW0JPM953XE%3D&reserved=0
> <https://datatracker.ietf.org/doc/html/draft-deng-httpbis-unknown-content-coding>
>
>
> Abstract:
>
>    This document proposes a new reserved value unknown for the HTTP
>    protocol parameter content coding.
>
>
>
> The IETF Secretariat
>
>
>
Received on Wednesday, 30 April 2025 05:28:05 UTC