- From: Martin Thomson <mt@lowentropy.net>
- Date: Thu, 15 May 2025 09:17:46 +1000
- To: "Ben Schwartz" <bemasc@meta.com>
- Cc: "Tommy Pauly" <tpauly@apple.com>, "Working Group HTTP" <ietf-http-wg@w3.org>
On Thu, May 15, 2025, at 01:29, Ben Schwartz wrote: >> On May 11, 2025, at 9:48 PM, Martin Thomson <mt@lowentropy.net> wrote: >> >> Section 7 gets this right, but the treatment of Upgrade doesn't. >> >> connect-udp is allowed to be optimistic for reasons that are left unjustified. > > I don’t think this is correct. Wow, did I misread that. Apologies there. Maybe this could be made more direct, with the words (not the changes) saying directly what you intend. s/To avoid these concerns, this text is updated as follows/To avoid these concerns, this text is updated to exclude HTTP/1.1 from any optimistic sending, as follows/ > The vulnerability in “connect-udp” was mostly hypothetical: it requires > registering Capsule Types with values that (as a varint) are also a > valid HTTP method name characters Why would you assume that the intermediary (the thing being exploited in the attack) would be using only approved capsules? Isn't it possible that they are being supplied with the entirely of the content, not just the capsule innards?
Received on Wednesday, 14 May 2025 23:18:22 UTC