[whatwg/fetch] HTTPS-RR upgrades are in the wrong place (Issue #1789) from David Benjamin on 2024-11-26 (public-webapps-github@w3.org from November 2024)

From: David Benjamin <notifications@github.com>
Date: Tue, 26 Nov 2024 11:35:52 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1789@github.com>

I was going to leave this as a comment to #1426, but that is about making HSTS use a synthesized redirect, and this is about a DNS-level upgrade:

For HTTPS-RR, it's actually _already_ defined as a synthesized redirect:
https://www.rfc-editor.org/rfc/rfc9460.html#name-http-strict-transport-secur

Fetch's attempt to respecify this also seems to be wrong because [this position](https://fetch.spec.whatwg.org/#basic-fetch:~:text=Matching%20request%E2%80%99s,HSTS%5D%20%5BSVCB%5D) would suggest it happens before Service Workers or HTTP caching happens or anything! Respecifying it is also problematic because RFC 9460 contains a ton of other machinery that we wouldn't want to respecify.

Looking at where to put it instead, the natural place would be to just add to [this line](https://fetch.spec.whatwg.org/#concept-http-network-fetch:~:text=Follow%20the%20relevant%20requirements%20from%20HTTP.%20%5BHTTP%5D%20%5BHTTP%2DCACHING%5D) in HTTP-network fetch.

But the problem is Fetch tries to specify connection management in detail, even though this isn't really accurate given things like QUIC, Happy Eyeballs v2 and the upcoming [Happy Eyeballs v3](https://datatracker.ietf.org/doc/draft-pauly-v6ops-happy-eyeballs-v3/). So it's hard to just defer to the HTTPS/SVCB RFC in its entirety. I think we'd need to defer to more IETF documents in connection management, or continue to respecify things. I would much prefer the former, to reduce all this duplicate busywork, but I suspect the latter is easier for now.

The way we do this in Chrome is that our DNS lookup machinery, if it sees an HTTPS record when we're making an HTTP fetch, we return a special error that the HTTP layer catches to synthesize a redirect. That's probably the right way to model it in Fetch as well. We'd have to tweak [resolve an origin](https://fetch.spec.whatwg.org/#resolve-an-origin) and a couple of its callers up the stack.

--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1789
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1789@github.com>

Received on Tuesday, 26 November 2024 19:35:55 UTC