- From: Ben Schwartz <bemasc@meta.com>
- Date: Thu, 15 May 2025 05:30:43 +0000
- To: Martin Thomson <mt@lowentropy.net>
- CC: Tommy Pauly <tpauly@apple.com>, Working Group HTTP <ietf-http-wg@w3.org>
Received on Thursday, 15 May 2025 05:31:04 UTC
________________________________ From: Martin Thomson <mt@lowentropy.net> > Maybe this could be made more direct, with the words (not the changes) saying directly what you intend. s/To avoid these concerns, this text is updated as follows/To avoid these concerns, this text is updated to exclude HTTP/1.1 from any optimistic sending, as follows/ Sure, sounds good. Posted as https://github.com/httpwg/http-extensions/pull/3091. >> The vulnerability in “connect-udp” was mostly hypothetical: it requires >> registering Capsule Types with values that (as a varint) are also a >> valid HTTP method name characters > Why would you assume that the intermediary (the thing being exploited in the attack) would be using only approved capsules? Isn't it possible that they are being supplied with the entirely of the content, not just the capsule innards? "connect-udp" clients normally forward untrusted UDP data, converted into capsules. That's supposed to be safe. I'm not aware of a deployment model in which an untrusted party would supply capsules that are included without inspection. That seems more obviously dangerous, and I'm not sure it qualifies as "implementing connect-udp". --Ben
Received on Thursday, 15 May 2025 05:31:04 UTC