Use of HTTP headers

[dthaler]

Hannes wrote:

The text says that the client uses the Accept header but I don’t see any normative language there. The headers the server uses are listed but my understanding of those is that they are only relevant for co-existence with web browsing. Clearly, the communication we are describing isn’t useful for web browsing scenarios.

IMHO the following statement should be enough: “ The "Cache-control" header SHOULD be set to disable caching of any TEEP protocol messages by HTTP intermediaries. Otherwise, there is the risk of stale TEEP messages. “ To me, the following three headers shown in the draft are an overkill:

X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'none' Referrer-Policy: no-referrer I would also add the following sentence: “ If the TAM does not receive the appropriate Content-Type and Accept header fields, the TAM SHOULD fail the request, returning a 406 (not acceptable) response. TAM responses MUST include a Content-Length header. “

[dthaler]

Addressed in draft -07

[mnot]

Some responses to Hannes' comments:

• My understanding is that TEEP only uses the POST method. If so, Cache-Control does not need to be sent (on requests or responses), because POST responses are uncacheable without both explicit freshness information and a Content-Location header (ref).
• The "overkill" headers might be necessary to prevent some browser-based attacks. Has an analysis been done as to whether they're necessary?
• The proposed text about 406 is not correct. If the Content-Type of the request can't be processed, the appropriate status code to use is 415 Unsupported Media Type. Also, requiring a 406 rather than allowing the server to choose a default representation is stricter than HTTP and goes against common implementation practice; are you sure you want to do that?

Cheers,

[dthaler]

IETF 108 TEEP minutes say:

24 Use of HTTP header

Proposed adding text for codes
    Made change (with a qualification because second sentence of the proposed change was incompatible with 204 No Content return code)
Text says the client uses Accept header but no normative language
Hannes: Overkill in X-Content-Type, Content-Security-Policy with current SHOULD statements
    Proposed to keep SHOULD statements unless Mark Nottingham (as "owner" of BCP56bis) 
    says we should make a change. 
    "Still looks good to me"

[dthaler]

Fixed in draft-08