Re: [whatwg/fetch] Request body streams should use chunked encoding (#966) from sleevi on 2019-12-11 (public-webapps-github@w3.org from December 2019)

From: sleevi <notifications@github.com>
Date: Wed, 11 Dec 2019 09:43:37 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/966/564655414@github.com>

@yutakahirano I appreciate the desire to mitigate intermediaries, but I don't think preflights really addresses that holistically. While unencrypted HTTP may have intermediaries present anywhere along the network path, even encrypted (TLS) connections can still have intermediaries. They generally fall into one of two places - intermediaries near the server (which @mnot mentioned) and intermediaries near the client (e.g. local security policy, antivirus, etc).

A preflight doesn't really address intermediaries near the client, and it seems unlikely in practice that it'd successfully consistently address intermediaries near the server, since in both cases, they would generally transmit the header unmodified.

It might be tempting to say "intermediaries near the server need to have the server's private key, so that's the server's problem", and that "intermediaries near the client won't be able to use publicly trusted certificates, so we can require them" - but now that exposes a side-channel to servers that we presently and intentionally don't expose to the Web.

I'm sympathetic that "the ecosystem may be (... is probably) ossified" is not a reason not to do it, but I think this gets back to @MattMenke2 remark in https://github.com/whatwg/fetch/issues/966#issuecomment-555837984

This same conceptual challenge is the same underlying problem the ecosystem faced with TLS 1.3. This took years to successfully do, and generally required a variety of 'hacks' and workarounds in order to eventually get something successfully through. This worked reasonably well for something evolving and that had flexibility to have those workarounds, but I don't think we'd have the same leverage here.

That's why this still represents a major investment to "do it right", even if we could potentially "do it quick", and have it cause a host of long-tail issues. My only worry is that we then punt those long-tail issues to web servers, and we've tried to avoid that (see also the WebSockets handshake).

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/966#issuecomment-564655414

Received on Wednesday, 11 December 2019 17:43:39 UTC