Streaming upload and HTTP protocol info leak #1007
Comments
|
We have an issue regarding |
|
Yeah, when I read the |
yutakahirano
changed the title
|
Thank you for the clarification! I changed the issue title. |
|
I'm considering below API in fetch: fetch('https://grpc.example.com/posts', {
method: 'POST',
body: createReadableStream(content),
AllowHTTP1ForStreamingUpload: false})
.catch((error) => {
// This error flag is also a new API.
// This means middleboxes forced H1 (e.g. a local proxy),
// and the author can detect that and fall back to non-streaming upload.
if (error.IsHTTP1Negotiated) {
fallbackUploadWithoutStream(content);
}
});With that, web author knows the negotiated protocol is HTTP/1. |
|
I didn’t think the proposal was for a new error API. Is that actually
necessary? PerformanceResourceTiming already provides error surface,
doesn’t it?
Having an explicit API, especially beyond Network Error, seems like it
would require much more careful security review.
|
|
@sleevi Is a PerformanceResourceTiming record added for failure cases? |
https://w3c.github.io/resource-timing/#resources-included-in-the-performanceresourcetiming-interface
|
|
Thank you. The problematic part is, usually we know the HTTP version when the response arrives, in this case we need to fail the request before sending the request. Also we were talking about rejecting the request when the server likely to use HTTP/0.9 and HTTP/1.0: #966 (comment). Does the following make sense to you?
|
|
I think session existence and the flag are independent to each other.
Also there is no difference between Same-origin and Cross-origin case. Is that true? |
I’m not sure I understand? You know the transport protocol before you’ve sent the request. Either:
The only time you need the response to know the version is when you’re talking <= H/1, but that’s OK, because you already know that by needing that, you’re talking H/1 |
|
Friendly ping @yutakahirano ? |
|
Sorry for the delay. I think we would like to fail a request if it likely ends up using HTTP/1.0 or HTTP/0.9 even when AllowHTTP1ForStreamingUpload is true. Please see #966 (comment). |
|
Let me re-summarize the chart: Same-origin case:
Cross-origin case:
Following this chart, fetch() upload streaming behaves different only when a web author knows the protocol with a previous response then this doesn't leak the protocol. |
|
What is the main resource? |
|
The document / worker top script from which the fetch is initiated. |
|
What if that's a blob URL or data URL? Is this another kind of policy we need to inherit all over in (currently) buggy ways? |
|
That information is used as a hint when we don't get information via ALPN. I don't think we need to provide that information for all cases - for example we can assume that the HTTP version is HTTP 1.0 when
|
|
This still feels like a lot of complexity (and edge cases to test) over failing when >= H/2 could not be negotiated. |
Booleans should default to false, so consider flipping this to e.g. |
I’m not sure why a dependency on the previous request is being made? The new request should more or less be independent. If it’s trying to avoid protocol leaks, they still happen in this model, because the client only sees the protocol to the intermediary and the server only sees the protocol from the intermediary, and they’re not necessarily the same. It seems like this can just be:
I’m not sure why the distinction here on 1.0 / 0.9 responses, because it’s the request that’s sending the chunked encoding. Am I missing something basic? |
Since I noticed upload streaming over HTTP/1.1 is flaky and unreliable,
We require HTTPS. This prevents any unauthorized intermediates (i.e. not explicitly authorized by the server or the user) from breaking. From #966 (comment)
I don't understand why protocol leaks with my chart given the asymmetric characteristic and yours block that. Could you explain more? @sleevi |
|
I checked the ALPN numbers (for Chrome). On Windows:
On Android:
|
|
What do those numbers mean? That ~50% of page loads use HTTP/2? For this feature what we need is a site attempting to use HTTP/2 and it failing for a percentage of users, right? |
|
They're per TLS connection status, and hence unencrypted HTTP is excluded.
This depends on I think we have four cases:
With With
If "ALPN not used" were much smaller than "HTTP/1.1 negotiated via ALPN" we didn't need to take much care of 3 and 4 but apparently that's not the case. |
|
My understanding of your data and above comment is that a larger number of sites would have to update their server to use this feature. Why is that considered problematic? |
|
Sorry I'm not sure if I understand your point... What do you think is the best for 3 and 4 in #1007 (comment) when |
|
I don't understand why we can't require H/2 as a baseline. |
|
I see. If you don't want to reveal the protocol anyone is using, then for 3/4 you need to try (as sleevi also indicated I think). The "main resource" or even the "CORS preflight" might well come from a different server. And proxies might also do different things depending on the type of request. |
|
Given that this protocol leak is concerned if fetch upload streaming has an API to check which protocol is accepted and the API decision will be done on #966, |
|
Belatedly catching up... Seems to me that it would be near impossible for us to prevent the observable differences between HTTP/1.0, HTTP/1.1 and HTTP/2. They request sending and TCP/TLS connection patterns are different enough to make them highly observable without requiring a direct API. |
|
Thank you very much. Let me close this issue. |
and others
At #966 we are talking about restricting the streaming upload feature only for certain HTTP versions (H1.1 and above, or H2 and above).
This may leak protocol versions, so we are wondering if
Timing-Allow-Originis needed.On the other hand, the feature requires CORS preflight and some resource timing people talked about a possibility that CORS implies TAO.
@yoavweiss @npm1 What do you think?
cc: @sleevi @annevk @yoichio
The text was updated successfully, but these errors were encountered: