http-extensions
http-extensions copied to clipboard
httpwg
HTTP Extensions in progress
From https://github.com/httpwg/http-extensions/issues/1927#issuecomment-1030299479, it sounds like the intent with the client certs draft is that the proxy does little to no certificate validation and punts all of it to the origin....
There's a bunch of text in the draft about putting the certificate chain in the right order. This tries to crib from TLS and ends up being somewhat tricky to...
In section https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-variants-06#section-3 1. For the following example, could you please elaborate why `Variant-Key` header can be considered completely absent? ``` Variants: Accept-Encoding=(gzip br), Accept-Language=(en fr) Variant-Key: (gzip fr), (identity...
In appendix, https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-variants-06#appendix-A.3 currently, it's ``` accept-encoding-available-value = language-range ``` it might be as follows: ``` accept-language-available-value = language-range ```
Following the RFC6265bis section 4.1.1 a cookie-value can contain only ASCII chars: ``` cookie-name = token cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) cookie-octet = %x21 / %x23-2B...
While most cookies don't have layers in my experience ([turns out that is limited](https://www.google.com/search?q=cookie+layer&tbm=isch)), some layering would be appropriate for the HTTP State Management Mechanism. I touched upon this last...
There is an ABNF syntax given for the Set-Cookie header [in section 4.4.1](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-07#section-4.1.1), however many aspects of this are not enforced in the actual parsing algorithm [in section 5.3](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-07#section-5.3). The...
If I have a website that I want to allow framing by trusted third-parties (via CSP frame-ancestors), I can't use SameSite cookies to prevent CSRF attacks. This is unfortunate as...
Does it implicitly invalidate anything cached before?
Do we need an explicit way to key against a header that isn't present? Or just say that absence is part of the key too (effectively a null value). How...