Re: [whatwg/fetch] Streaming upload and HTTP protocol info leak (#1007) from Yoichi Osato on 2020-04-10 (public-webapps-github@w3.org from April 2020)

From: Yoichi Osato <notifications@github.com>
Date: Thu, 09 Apr 2020 20:50:06 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1007/611864454@github.com>

I'm considering below API in fetch:
```javascript
fetch('https://grpc.example.com/posts', {
  method: 'POST',
  body: createReadableStream(content),
  AllowHTTP1ForStreamingUpload: false})
.catch((error) => {
    // This error flag is also a new API.
    // This means middleboxes forced H1 (e.g. a local proxy), 
    // and the author can detect that and fall back to non-streaming upload.
  if (error.IsHTTP1Negotiated) {
   fallbackUploadWithoutStream(content);
  }
});
```
With that, web author knows the negotiated protocol is HTTP/1.
This can be abused as `nextHopProtocol`? If so, how might we refrain from it?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1007#issuecomment-611864454

Received on Friday, 10 April 2020 03:50:19 UTC