@@ -16,8 +16,7 @@ author:
-
ins : C. Krasic
name : Charles 'Buck' Krasic
org : Netflix
email : ckrasic@netflix.com
email : krasic@acm.org
-
ins : M. Bishop
name : Mike Bishop
@@ -523,9 +522,10 @@ it specifies any other value, or omits SETTINGS_QPACK_MAX_TABLE_CAPACITY from
SETTINGS, the encoder must treat this as a connection error of type
QPACK_DECODER_STREAM_ERROR.
For HTTP/3 servers and HTTP/3 clients when 0-RTT is not attempted or is
rejected, the maximum table capacity is 0 until the encoder processes a SETTINGS
frame with a non-zero value of SETTINGS_QPACK_MAX_TABLE_CAPACITY.
For clients not using 0-RTT data (whether 0-RTT is not attempted or is rejected)
and for all HTTP/3 servers, the maximum table capacity is 0 until the encoder
processes a SETTINGS frame with a non-zero value of
SETTINGS_QPACK_MAX_TABLE_CAPACITY.
When the maximum table capacity is zero, the encoder MUST NOT insert entries
into the dynamic table and MUST NOT send any encoder instructions on the encoder
@@ -638,8 +638,8 @@ throughout. This string format includes optional Huffman encoding.
HPACK defines string literals to begin on a byte boundary. They begin with a
single bit flag, denoted as 'H' in this document (indicating whether the string
is Huffman-coded ), followed by the Length encoded as a 7-bit prefix integer, and
finally Length bytes of data. When Huffman encoding is enabled, the Huffman
is Huffman encoded ), followed by the Length encoded as a 7-bit prefix integer,
and finally Length bytes of data. When Huffman encoding is enabled, the Huffman
table from {{Section B of RFC7541}} is used without modification and Length
indicates the size of the string after encoding.
@@ -1200,12 +1200,12 @@ This is possible even over the Transport Layer Security Protocol
while TLS and QUIC provide confidentiality protection for content, they only
provide a limited amount of protection for the length of that content.
Note :
: Padding schemes only provide limited protection against an attacker with these
capabilities, potentially only forcing an increased number of guesses to learn
the length associated with a given guess. Padding schemes also work directly
against compression by increasing the number of bits that are transmitted.
{:aside}
> Note: Padding schemes only provide limited protection against an attacker with
these capabilities, potentially only forcing an increased number of guesses to
learn the length associated with a given guess. Padding schemes also work
directly against compression by increasing the number of bits that are
transmitted.
Attacks like CRIME ({{CRIME}}) demonstrated the existence of these general
attacker capabilities. The specific attack exploited the fact that DEFLATE
@@ -1281,14 +1281,14 @@ re-encoded by an intermediary without knowledge of which entity constructed a
given message, the intermediary could inadvertently merge compression contexts
that the original encoder had specifically kept separate.
Note :
: Simply removing entries corresponding to the field from the dynamic table can
be ineffectual if the attacker has a reliable way of causing values to be
reinstalled. For example, a request to load an image in a web browser
typically includes the Cookie header field (a potentially highly valued target
for this sort of attack), and websites can easily force an image to be
loaded, thereby refreshing the entry in the dynamic table.
<aside><t>
Note : Simply removing entries corresponding to the field from the dynamic table
can be ineffectual if the attacker has a reliable way of causing values to be
reinstalled. For example, a request to load an image in a web browser typically
includes the Cookie header field (a potentially highly valued target for this
sort of attack), and websites can easily force an image to be loaded, thereby
refreshing the entry in the dynamic table.
</t></aside>
# ## Never-Indexed Literals
