meejah

I think it makes sense to have a default. I think `kill` makes the most sense as a default, as it's the "most complete" and will give you end-to-end cancelling...

So yes I think the router has to keep some amount of state until it hears from the callee so it doesn't protocol-error it. There are I think three cases:...

@gammazero I'm not sure if I follow the reasoning for `skipnowait` to be the default? It's likely that the caller is giving up on the callee if we're trying to...

That wording usually comes from https://www.ietf.org/rfc/rfc2119.txt but yes, being explicit would be good.

@gammazero you have to be even more careful than just "is there salt", it has to be the same for the same (wrong) authid -- if I try twice and...

> but we would also need to specify that a router would always challenge the client, even when it already knows it is not accepted (eg authid is not know)....

As per https://github.com/crossbario/crossbar/blob/master/crossbar/worker/container.py#L213 it does look like this behavior (killing a component if it raises an exception from a handler) is on purpose -- would be easy to make non-fatal,...

Personally, I think it's better to log and keep going -- but perhaps this should be an option? That is, by default we log and keep going (I think this...

This sounds relevant: https://twistedmatrix.com/documents/current/web/howto/using-twistedweb.html#request-encoders However, this is also relevant: https://en.wikipedia.org/wiki/BREACH_%28security_exploit%29 Unfortunately, I don't know that attack well enough to know when it's safe to combine TLS and compression...

Okay, yes, merely setting MIME types etc sounds like a good idea (and not a security problem).