- From: Ben <benjamin.gemmill@gmail.com>
- Date: Tue, 3 Dec 2019 16:48:50 -0500
- To: public-webappsec@w3.org
- Message-ID: <CAH=DER2Mmp6PQfo-hqw9LH2tzayKk3g9H+vg-GjtyG+mg1V4Xg@mail.gmail.com>
Good afternoon, I'm trying to make a number of API requests to an endpoint that has excessively large CSP headers in the replies, and this seems like the best place to ask about what to do. In practice I'm going to be making a lot of API calls, and CSP headers have become a bandwidth issue. For example: $ curl --http1.1 -Lis https://api.itbit.com/v1/markets/XBTUSD/ticker | wc -c 4474 That reply only has a body-length of 428, and the vast majority of the rest are CSP headers. HTTP2 doesn't help much, because api.itbit.com marks all header fields as sensitive, so they skip the hpack table: $ nghttp -v --multiply=2 https://api.itbit.com/v1/markets/XBTUSD/ticker | grep "recv HEADERS frame" [ 0.436] recv HEADERS frame <length=2925, flags=0x04, stream_id=13> [ 0.437] recv HEADERS frame <length=2842, flags=0x04, stream_id=15> Is there a way to signal that the request is not coming from a browser so these headers may be suppressed or at least reduced? Thanks a lot, --Ben
Received on Friday, 6 December 2019 12:54:15 UTC