- From: Patrick Meenan <notifications@github.com>
- Date: Tue, 02 Jun 2026 05:30:42 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1854/review/4409619800@github.com>
@pmeenan commented on this pull request. > + then return a <a>network error</a>. + + <li><p>Let <var>availableDictionaryItem</var> be the result of + <a for="header list">getting a structured field value</a> given <a><code>Available-Dictionary</code></a>, + "<code>item</code>", and <var>request</var>'s <a for=request>header list</a>. + + <li><p>If <var>availableDictionaryItem</var> is null, then return a <a>network error</a>. + + <li><p>Let <var>availableDictionaryHash</var> be the <a>bare item</a> of <var>availableDictionaryItem</var>. + + <li><p>Let <var>newBody</var> be a new <a for=/>body</a> whose <a for=body>stream</a> is the + result of transforming <var>response</var>'s <a for=response>body</a>'s <a for=body>stream</a> + with an algorithm that verifies that the dictionary hash in the stream matches + <var>availableDictionaryHash</var> and decodes the rest of the stream with the applicable + algorithm as defined in [[!RFC9842]]. If verification or decoding fails, + error the transformed stream. `availableDictionaryHash` and `Available-Dictionary` are both generated by the client and attributes of the request. The issue we need to protect against is a server responding with a `dcb` or `dcz` stream that was compressed with a dictionary other than the one requested (has happened to more than a few people when deploying because of incorrectly-configured `Vary` response headers). I'm happy to change it to be a network error of some kind if there's a sensible way to plumb that. Where it gets a bit complicated is that it's a problem with the stream, not necessarily the HTTP-level response container and is closer to being a corrupt payload (like sending a brotli payload with `Content-Encoding: zstd`). It also won't show up until the body starts being processed/read. That feels like it's a problem at the stream level rather than the network level but I'm happy to plumb it however it best fits into the spec. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1854#discussion_r3341153776 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1854/review/4409619800@github.com>
Received on Tuesday, 2 June 2026 12:30:47 UTC