search

ietf-wg-httpapi / ratelimit-headers

Repository for IETF WG draft ratelimit-headers
Other
42 stars 4 forks source link

Commas, and potentially combining RateLimit and RateLimit-Policy #131

Open nfriedly opened 1 year ago

nfriedly commented 1 year ago

I noticed that the latest draft uses semicolons to separate things in the RateLimit-Policy header, and commas (and spaces) to separate things in the RateLimit header.

In addition to seeming oddly inconsistent, the commas can lead to confusion (or at least trickier parsing), because RFC 2616 allows for multiples of the same header to be combined with commas separating the values.

(fetch()does exactly this when reading headers on responses. It made cookie parsing a bit of a burden until they finally added a special function for getting uncombined cookie headers.)

Because of that, I would generally recommend avoiding commas, when possible.

(I like the way separate policies are comma-separated, though, because combining multiple policy headers wouldn't lead to confusion in parsing any particular policy.)

Along the same lines of consistency: limit, remaining, reset, burst, and comment all spelled out, so why is window is abbreviated to w and limit is not even labeled in the RateLimit-Policy header?

Furthermore, if all the fields were labeled, then why would they even need to be in separate headers? If we combined the two headers, gave every field consistent labeling, and separated fields with semicolons, I think it could be a significant improvement.

Then servers with multiple rate limits would be easier to understand because it would be clear which policy matched which limit. They could either have one header per policy, or they could be combined into a single RateLimit header with each limit/policy separated by commas.

What do you think?

darrelmiller commented 10 months ago

Current draft uses the syntax of structured fields for the two header fields. The RateLimit-Policy is one or more sf-Items which are comma delimited. However, sf-Items can have parameters which are semi-colon delimited.

The RateLimit header uses a sf-dictionary which is a comma delimited list of key-value pairs.

Based on conversations at the last IETF117 the latest proposal is to make both fields an sf-item. I had attempted to update the PR here https://github.com/ietf-wg-httpapi/ratelimit-headers/pull/130.

The basic idea looks like this:

RateLimit-Policy: somepolicy;l=10000;w=1000   // l=limit  w=window
RateLimit: somepolicy;r=500;t=10                      // r=remaining t=reset