W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

[upgrade] return=secure-representation

From: Nottingham, Mark <mnotting@akamai.com>
Date: Fri, 13 Mar 2015 04:48:44 +0000
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <60FA7896-BABD-4460-A733-CF123F67380D@akamai.com>
A) This is a horrible, horrible name.

1) What does it mean for a returned representation to be 'secure' -- is it that the links in it are to secure resources, or that it itself is secure?

2) There's no good reason to overload the existing 'return' preference, because the client is requesting a *redirect* to a different resource, not a representation of the current resource (<http://httpwg.github.io/specs/rfc7231.html#identification>).

3) It's long -- who will save the little network bytes? Yes, h2 has header compression, but that's no reason to be so needlessly verbose.

I'd suggest either:

Prefer: redir2sec

... or creating another, even shorter request header altogether (they're cheap).


B) If the server is making decisions based upon the presence or absence of this directive, it needs to either be a) uncacheable or b) listed in Vary.

Example 3 should be updated to something like:

---8<---
A client that supports this document's upgrade mechanism requests http://example.com/ as follows:

  GET / HTTP/1.1
  Host: example.com
  Prefer: redir2sec

The server parses the reference, notices that the users' client can deal well with upgrade requests, and therefore responds to the request by redirecting the user to a secure version of the resource she's requesting:

  HTTP/1.1 302 Moved Temporarily
  Location: https://example.com/
  Vary: Prefer

Note that Prefer is listed in the Vary header, since otherwise the redirect response could be served by caches to clients that don't support this mechanism. The same effect can be achieved by making it uncacheable;

  HTTP/1.1 302 Moved Temporarily
  Location: https://example.com/
  Cache-Control: no-store

See [RFC7235] for more information.

--->8---


(Note that Connection: keep-alive is *not* relevant in HTTP/1.1).


--
Mark Nottingham    mnot@akamai.com    https://www.mnot.net/
Received on Friday, 13 March 2015 04:49:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC