From 321f3ad6a6ec4c06fbda139a7015ecb4b8fe3b6d Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 23 May 2017 14:46:07 +1000 Subject: [PATCH 1/7] Remove trailing whitespace --- draft-ietf-httpbis-origin-frame.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-httpbis-origin-frame.md b/draft-ietf-httpbis-origin-frame.md index 0b4ca3cdb..366cb7e6e 100644 --- a/draft-ietf-httpbis-origin-frame.md +++ b/draft-ietf-httpbis-origin-frame.md @@ -39,10 +39,10 @@ given connection. --- note_Note_to_Readers -Discussion of this draft takes place on the HTTP working group mailing list +Discussion of this draft takes place on the HTTP working group mailing list (ietf-http-wg@w3.org), which is archived at . -Working Group information can be found at ; source +Working Group information can be found at ; source code and issues list for this draft can be found at . --- middle From 5bba80336bb856995f576b9400a7765ee31fff57 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 23 May 2017 14:57:56 +1000 Subject: [PATCH 2/7] Explain the relationship of this with Alt-Svc This isn't at all clear at first reading, and there is a real operational risk for those who decide to shift load to different server ports. --- draft-ietf-httpbis-origin-frame.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/draft-ietf-httpbis-origin-frame.md b/draft-ietf-httpbis-origin-frame.md index 366cb7e6e..eede86e36 100644 --- a/draft-ietf-httpbis-origin-frame.md +++ b/draft-ietf-httpbis-origin-frame.md @@ -160,6 +160,16 @@ The Origin Set is also affected by the 421 (Misdirected Request) response status MUST create the ASCII serialisation of the corresponding request's origin (as per {{!RFC6454}}, Section 6.2) and remove it from the connection's Origin Set, if present. +Note: + +: A server that acts as an alternative service {{?RFC7838}} might remove the origin that a + client creates the connection for by sending an ORIGIN frame. The single value that is in the + newly-initialized Origin Set will contain the port of the alternative service rather than that + of the origin. For instance, a client making requests for "https://example.com" that is + directed to an alternative at ("h2", "x.example.net", "8443") will seed the origin set with + "https://example.com:8443". This problem can be avoided by explicitly including an origin + with the correct port in the ORIGIN frame. + ## Authority, Push and Coalescing with ORIGIN {#authority} @@ -190,6 +200,9 @@ that a client might have more than one viable connection to an origin open at an occurs, clients SHOULD not emit new requests on any connection whose Origin Set is a proper subset of another connection's Origin Set, and SHOULD close it once all outstanding requests are satisfied. +The Origin Set is unaffected by any alternative services {{?RFC7838}} advertisements made by the +server. Advertising an alternative service does not affect whether a server is authoritative. + # IANA Considerations From f399677a4fae7677a2874d0611a5c06346b65078 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 23 May 2017 18:17:30 +1000 Subject: [PATCH 3/7] Trying again to explain this convoluted scenario --- draft-ietf-httpbis-origin-frame.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/draft-ietf-httpbis-origin-frame.md b/draft-ietf-httpbis-origin-frame.md index eede86e36..807d0aa09 100644 --- a/draft-ietf-httpbis-origin-frame.md +++ b/draft-ietf-httpbis-origin-frame.md @@ -162,11 +162,13 @@ Section 6.2) and remove it from the connection's Origin Set, if present. Note: -: A server that acts as an alternative service {{?RFC7838}} might remove the origin that a - client creates the connection for by sending an ORIGIN frame. The single value that is in the - newly-initialized Origin Set will contain the port of the alternative service rather than that - of the origin. For instance, a client making requests for "https://example.com" that is - directed to an alternative at ("h2", "x.example.net", "8443") will seed the origin set with +: A server that acts as an alternative service {{?RFC7838}} might invalidate the connection for + use with the origin that initiated use of the alternative by sending an ORIGIN frame. If the + port on the alternative service is different from the origin that caused the alternative to be + used, that origin won't be automatically included in the Origin Set. The entry with which the + Origin Set is initialized includes the port of the alternative service rather than that of the + origin. For instance, a client making requests for "https://example.com" that is directed to + an alternative service at ("h2", "x.example.net", "8443") will seed the origin set with "https://example.com:8443". This problem can be avoided by explicitly including an origin with the correct port in the ORIGIN frame. From 4699ed1373a3eac8e4352ee9ebb8abbf82b2861c Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 25 May 2017 15:18:16 +1000 Subject: [PATCH 4/7] Define "initial origin", try to rework note --- draft-ietf-httpbis-origin-frame.md | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/draft-ietf-httpbis-origin-frame.md b/draft-ietf-httpbis-origin-frame.md index 807d0aa09..0db30c0fc 100644 --- a/draft-ietf-httpbis-origin-frame.md +++ b/draft-ietf-httpbis-origin-frame.md @@ -144,9 +144,9 @@ See {{algo}} for an illustrative algorithm for processing ORIGIN frames. The set of origins (as per {{!RFC6454}}) that a given connection might be used for is known in this specification as the Origin Set. -By default, a connection's Origin Set is uninitialised. When an ORIGIN frame is first received and -successfully processed by a client, the connection's Origin Set is defined to contain a single -origin, composed from: +By default, a connections's Origin Set is uninitialised. When an ORIGIN frame is first received +and successfully processed by a client, the connection's Origin Set is defined to contain an +initial origin. The initial origin is composed from: - Scheme: "https" - Host: the value sent in Server Name Indication ({{!RFC6066}} Section 3), converted to lower case @@ -162,15 +162,17 @@ Section 6.2) and remove it from the connection's Origin Set, if present. Note: -: A server that acts as an alternative service {{?RFC7838}} might invalidate the connection for - use with the origin that initiated use of the alternative by sending an ORIGIN frame. If the - port on the alternative service is different from the origin that caused the alternative to be - used, that origin won't be automatically included in the Origin Set. The entry with which the - Origin Set is initialized includes the port of the alternative service rather than that of the - origin. For instance, a client making requests for "https://example.com" that is directed to - an alternative service at ("h2", "x.example.net", "8443") will seed the origin set with - "https://example.com:8443". This problem can be avoided by explicitly including an origin - with the correct port in the ORIGIN frame. +: Using an alternative service {{?RFC7838}} can result in using a service that has a different + port to the original service (that is, the server that a client contacts when it has no active + alternative services). In that case, the initial origin will have a different port number. A + client could be unable to send requests for the origin that advertised the alternative + service. Explicitly including origins in the ORIGIN frame avoids this problem. + +: For example, a client making requests for "https://example.com" is directed to an alternative + service at ("h2", "x.example.net", "8443"). If this alternative service sends an ORIGIN + frame, the initial origin will be "https://example.com:8443". The client will not be able to + use the alternative service to make requests for "https://example.com" unless that origin is + explicitly included in the ORIGIN frame. ## Authority, Push and Coalescing with ORIGIN {#authority} From ac03c89a36aa499904e482ea5e440ab44e0f0b9f Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 31 Jul 2017 14:53:06 +1000 Subject: [PATCH 5/7] mnot's text suggestion is better --- draft-ietf-httpbis-origin-frame.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/draft-ietf-httpbis-origin-frame.md b/draft-ietf-httpbis-origin-frame.md index 0db30c0fc..5d383272e 100644 --- a/draft-ietf-httpbis-origin-frame.md +++ b/draft-ietf-httpbis-origin-frame.md @@ -149,7 +149,7 @@ and successfully processed by a client, the connection's Origin Set is defined t initial origin. The initial origin is composed from: - Scheme: "https" - - Host: the value sent in Server Name Indication ({{!RFC6066}} Section 3), converted to lower case + - Host: the value sent in Server Name Indication (SNI, {{!RFC6066}} Section 3), converted to lower case - Port: the remote port of the connection (i.e., the server's port) The contents of that ORIGIN frame (and subsequent ones) allows the server to incrementally add new @@ -162,11 +162,13 @@ Section 6.2) and remove it from the connection's Origin Set, if present. Note: -: Using an alternative service {{?RFC7838}} can result in using a service that has a different - port to the original service (that is, the server that a client contacts when it has no active - alternative services). In that case, the initial origin will have a different port number. A - client could be unable to send requests for the origin that advertised the alternative - service. Explicitly including origins in the ORIGIN frame avoids this problem. +: When sending an ORIGIN frame to a connection that is initialised as an Alternative Service + {{?RFC7838}}, the initial origin set {{ref}} will contain an origin with the appropriate + scheme and hostname (since Alternative Services specifies that the origin's hostname be sent + in SNI). However, it is possible that the port will be different than that of the intended + origin, since the initial origin set is calculated using the actual port in use, which can be + different for the alternative service. In this case, the intended origin needs to be sent in + the ORIGIN frame explicitly. : For example, a client making requests for "https://example.com" is directed to an alternative service at ("h2", "x.example.net", "8443"). If this alternative service sends an ORIGIN From b6c50a93213ee475ab4552d6d3aff7db07ebda6a Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 31 Jul 2017 14:55:46 +1000 Subject: [PATCH 6/7] Use the actual reference --- draft-ietf-httpbis-origin-frame.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-httpbis-origin-frame.md b/draft-ietf-httpbis-origin-frame.md index 5d383272e..38c9a2c62 100644 --- a/draft-ietf-httpbis-origin-frame.md +++ b/draft-ietf-httpbis-origin-frame.md @@ -163,7 +163,7 @@ Section 6.2) and remove it from the connection's Origin Set, if present. Note: : When sending an ORIGIN frame to a connection that is initialised as an Alternative Service - {{?RFC7838}}, the initial origin set {{ref}} will contain an origin with the appropriate + {{?RFC7838}}, the initial origin set {{set}} will contain an origin with the appropriate scheme and hostname (since Alternative Services specifies that the origin's hostname be sent in SNI). However, it is possible that the port will be different than that of the intended origin, since the initial origin set is calculated using the actual port in use, which can be From 73c9519656ce52643878de6d3e240fb299edb943 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 31 Jul 2017 15:29:06 +1000 Subject: [PATCH 7/7] connections's --- draft-ietf-httpbis-origin-frame.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-ietf-httpbis-origin-frame.md b/draft-ietf-httpbis-origin-frame.md index 38c9a2c62..96771f76c 100644 --- a/draft-ietf-httpbis-origin-frame.md +++ b/draft-ietf-httpbis-origin-frame.md @@ -144,9 +144,9 @@ See {{algo}} for an illustrative algorithm for processing ORIGIN frames. The set of origins (as per {{!RFC6454}}) that a given connection might be used for is known in this specification as the Origin Set. -By default, a connections's Origin Set is uninitialised. When an ORIGIN frame is first received -and successfully processed by a client, the connection's Origin Set is defined to contain an -initial origin. The initial origin is composed from: +By default, the Origin Set for a connection is uninitialised. When an ORIGIN frame is first received +and successfully processed by a client, the connection's Origin Set is defined to contain an initial +origin. The initial origin is composed from: - Scheme: "https" - Host: the value sent in Server Name Indication (SNI, {{!RFC6066}} Section 3), converted to lower case