rgacogne
commented
7 years ago Agreed, and I have a preference for 'strip' too since it would be consistent with what we do for ECS at the moment.
Closed Habbie closed 6 years ago
rgacogne
commented
7 years ago Agreed, and I have a preference for 'strip' too since it would be consistent with what we do for ECS at the moment.
raybellis
commented
7 years ago This request came from DW - https://mailarchive.ietf.org/arch/msg/dnsop/ie3DhrIUCEEZwGaWtJ4pLjs96dw/
Habbie
commented
6 years ago After discussion with @raybellis and @rgacogne: suggest a MUST on REFUSED, even from implementations that do not otherwise support XPF, so that leaks are caught swiftly, as Duane suggested.
raybellis
commented
6 years ago I'm kind of OK with this, except that this then might become an oracle that discloses an XPF aware server (FSVO "aware") from one that has no XPF capabilities at all.
I don't know how much that matters, though.
Habbie
commented
6 years ago You can never rule out all fingerprinting possibilities.. I think this is the right balance.
raybellis
commented
6 years ago resolved by 3171ae39
3.1 says proxies strip XPF (unless), 3.2 says servers say REFUSED on XPF (unless). This behaviour should be identical for both (whichever choice we make) because a difference exposes details of the internals of a setup. I'm leaning towards 'strip' for both, but I'm fine with REFUSED for both too.
Thanks @mind04