- From: Martin Thomson <mt@lowentropy.net>
- Date: Mon, 12 May 2025 14:48:30 +1000
- To: "Tommy Pauly" <tpauly@apple.com>, "Working Group HTTP" <ietf-http-wg@w3.org>
Section 7 gets this right, but the treatment of Upgrade doesn't. connect-udp is allowed to be optimistic for reasons that are left unjustified. The original requirement, which was to abort the connection, would seem to be good for HTTP/1.1, with the overreach for HTTPs /2 and /3 being what needs fixing. It seems like the only reason to allow optimistic sending here is latency. That's important, but we have a solution for that in HTTP/2 and /3, as Section 7 says. I'd much rather we keep the prohibition for HTTP/1.1. More generally, there is just one protocol that has chosen the low latency, high risk choice here. And it's a protocol that is best suited to HTTP/3. I really don't think that's too hard a position to take. Section 6 has some good advice, but Section 6.1 makes an odd recommendation about using GET with Upgrade to "reduce[] the likelihood that a faulty server implementation might process the request body as the new protocol" (in part, the other part is consistency). This would seem to miss the point, because it is not the method of the failed request that matters, but the one afterwards. The fact that GET rarely includes a body is perhaps the only reason that might be relevant here, which might be cause to recommend GET, but the text should say that if it is. But then it would be making another claim that I think is unwise, which is that you can't convince a client to generate a GET with a body, because that becomes part of the defense. If it is part of the defense, the draft needs to say that. I also don't think that it's a reliable defense. Again, I'd much rather say that if you try to transition an HTTP/1.1 connection and it fails, stop using the connection. I realize that this has non-trivial performance costs. Section 7 explains how to deal with that. On Mon, May 12, 2025, at 13:10, Tommy Pauly wrote: > Hello HTTP, > > This email starts a working group last call for > draft-ietf-httpbis-optimistic-upgrade-03, which has no remaining open > issues currently. > > You can find the draft here: > https://www.ietf.org/archive/id/draft-ietf-httpbis-optimistic-upgrade-03.html > https://datatracker.ietf.org/doc/draft-ietf-httpbis-optimistic-upgrade/ > > Please send your review and comments in response to this email, and > file issues to https://github.com/httpwg/http-extensions/issues. > > This call will be open until *Monday, May 26*. > > Best, > Tommy & Mark
Received on Monday, 12 May 2025 04:48:57 UTC