Re: Éric Vyncke's No Objection on draft-ietf-httpbis-optimistic-upgrade-05: (with COMMENT) from Ben Schwartz on 2025-09-15 (ietf-http-wg@w3.org from July to September 2025)

From: Ben Schwartz <bemasc@meta.com>
Date: Mon, 15 Sep 2025 15:15:57 +0000
To: The IESG <iesg@ietf.org>, Éric Vyncke <evyncke@cisco.com>
CC: "draft-ietf-httpbis-optimistic-upgrade@ietf.org" <draft-ietf-httpbis-optimistic-upgrade@ietf.org>, "httpbis-chairs@ietf.org" <httpbis-chairs@ietf.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, "tpauly@apple.com" <tpauly@apple.com>, "tpauly@apple.com" <tpauly@apple.com>, "int-dir@ietf.org" <int-dir@ietf.org>, "jinmei@wide.ad.jp" <jinmei@wide.ad.jp>
Message-ID: <BYAPR15MB23607CC1327A93061B632A38B315A@BYAPR15MB2360.namprd15.prod.outlook.com>

________________________________
From: Éric Vyncke via Datatracker <noreply@ietf.org>
Sent: Monday, September 15, 2025 7:19 AM

...
> Like other ADs, I think that an introduction will be useful.

Let me know if the proposed introduction text (https://github.com/httpwg/http-extensions/commit/ae6203dbff9fd7aea707df98c4d12b640fa5c4bd) is not sufficient.

> Should Upgrade be quoted to make it visible that it is a protocol item ?

"Upgrade" is an HTTP header field name.  The HTTP Editorial Style Guide says "When referring to a field defined in a different document, the first instance should include a reference, and all instances should be unquoted." (https://httpwg.org/admin/editors/style-guide#header-and-trailer-fields).

> I.e.,
> s/A request using Upgrade might be rejected/A request using "Upgrade" might be
> rejected/

BTW, this specific sentence has been removed (https://github.com/httpwg/http-extensions/commit/97852dca45e2b2d297c35707d5f96ca7b0367d41).

> Who is the "we" in `we call` ? The author ? The WG ? The IETF Community ?
> Please avoid using vague and ambiguous "we" (e.g., by using passive mode).

OK, changed to

   the data it provides is potentially "attacker-controlled"

> Probably due to my own lack of expertise in the area, but I find the
> explanations and examples (in this section and its sub-sections) not easy to
> understand.

OK, I've added a figure showing a trace of the bytes sent in each direction during the example attack, with detailed explanation of each party's actions.

> Perhaps because English is not my primary language, but the title of the
> section includes "Guidance", i.e., it does not smell normative while it
> actually is.

OK, changed to "Requirements for HTTP CONNECT"

> The use of a "MUST" with an unless as in `unless the client is known to wait
> for a 2xx` is rather weird, but perhaps clearer than a "SHOULD" with the same
> unless...

In general, I think SHOULD is for cases where implementations that ignore the guidance entirely are still considered "compliant".  That is not the case here.

> How can a server check that `the client is known to wait for a 2xx` ? At the
> bare minimum the text should contain "how it is done is out of scope".

OK, I've added "Proxy servers can identify compliant clients using the request's User-Agent header field and the user-agent vendor's documentation regarding its compliance.".

You can see these changes at https://github.com/httpwg/http-extensions/commit/9cc013b091e4e94add4a6c245d0273d224b80a35

--Ben Schwartz

Received on Monday, 15 September 2025 15:16:27 UTC