Re: UPGRADE: 'HTTPS' header causing compatibility issues.

On Wed, Jul 1, 2015 at 2:41 PM, Adrian Hope-Bailie <adrian@hopebailie.com>
wrote:

> I suggest "Prefer: Transport-Security" as that is effectively what the
> client is asking for.
>

If `Vary` isn't an issue, then yes, something like this seems totally
reasonable: https://github.com/w3c/webappsec/issues/216 has some earlier
iterations that we threw away. Since we're painting, I'd spell it `Prefer:
secure-transport`, but whatever.


> WRT caching, it seems to me that a server that supports the upgrade will
> do a redirect when it first receives this header and should simply use
> Cache-Control : no-store in the redirect response and never use the Vary
> header anyway. It's likely that in the upgrade scenario this flow will only
> happen once per client and so the value of caching this step is low.
>

I defer to people who know more about the network stack than I, but yes.
This seems like a reasonable thing for servers to do.

Also, not sure why it's critical to drop a few bytes from the headers at
> the expense of making this understandable?
>

If this is an advertisement that goes out on every navigational request;
those bits get expensive when you multiply them by a bajillion users.
Happily, magical header compression dust can be sprinkled on HTTP/2
connections, which removes all cost from header injection (all cost!
really! mostly! kinda! not really. :( ).

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 1 July 2015 13:32:04 UTC