Re: [whatwg/fetch] Streaming upload (Issue #1438) from Yutaka Hirano on 2022-06-09 (public-webapps-github@w3.org from June 2022)

From: Yutaka Hirano <notifications@github.com>
Date: Thu, 09 Jun 2022 05:02:57 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1438/1151034758@github.com>

> The https://github.com/whatwg/fetch/issues/966#issuecomment-554985629 does not mention security concerns. Are you saying that you want to explicitly support SSL-breaking man-in-the-middle boxen, and would like to remove a feature from HTTP, because such encryption-breaking boxes might not explicitly support it? Or am I misunderstanding you?

Maybe [this comment](https://github.com/whatwg/fetch/issues/966#issuecomment-573057154) is cleaerer? "Security issue" may be a wrong term, but I think it's clear there is an issue.

> The spec currently does allow HTTP/1.1. Now, PR https://github.com/whatwg/fetch/pull/1444 is proposing to explicitly forbid it. That's new. I do not see a good reason to forbid it and to stop others from implementing it.

Yes, and converns have raised from multiple people at #966. We need to address the concerns before shipping this feature. The easiest way is blocking HTTP/1.1, and that's what I'm doing.

> Instead, could you change the spec to more clearly state how you intend to support this feature with HTTP/2, allowing you to implement what you call "MVP", but could you leave the HTTP/1.1 part of the spec simply as-is, allowing others like Firefox or node.js to implement it for HTTP/1.1 as well?

That's explicitly opposed in #966.

> I'd be opposed to leaving the decision whether to support chunked encoding up to implementers.
https://github.com/whatwg/fetch/issues/966#issuecomment-562046885

> Suggestion
> 4. Require implementors to minimally support the above (i.e they MUST attempt to support chunked encoding if the above invariants hold)
https://github.com/whatwg/fetch/issues/966#issuecomment-573057154

I recommend you to discuss at #966. 

I'm proposing to block HTTP/1.1 for now. Blocking it for now doesn't mean blocking it forever. When you get an agreement at #966, we'll be able to allow it.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1438#issuecomment-1151034758
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1438/1151034758@github.com>

Received on Thursday, 9 June 2022 12:03:09 UTC