Closed pmeenan closed 9 months ago
Is it possible browser side to refuse to use a compression dictionary received? As hinted in the Security Risks, a dictionary might be enabling attacks if not carefully created, or if intentionally build to enable easy attacks. Are there ways to analyse received dictionary?
Is it possible browser side to refuse to use a compression dictionary received? As hinted in the Security Risks, a dictionary might be enabling attacks if not carefully created, or if intentionally build to enable easy attacks. Are there ways to analyse received dictionary?
Sure, there are a few different ways (most of which just behave like a normal request flow without dictionaries):
Use-As-Dictionary
header is received on a response, the browser can choose to ignore it in which case it continues to operate as it normally would without dictionary support. It wouldn't store it and wouldn't advertise it as an Available-Dictionary
for future requests. This could be for any number of reasons including:
match
path was invalid (not same-origin).Available-Dictionary
.Available-Dictionary
) and it is determined to be opaque (even though the spec calls for servers to not use dictionary compression in this case) then the client will error the request.As far as analyzing the received dictionaries, I'm not sure if you mean at runtime in the browser or at scale using telemetry of some kind. The dictionaries themselves are normal responses and it would be up to each browser to determine if they want to instrument analysis of the payloads but most likely won't for privacy reasons. Projects like the HTTP Archive can crawl and archive the payloads of advertised dictionaries for the pages they visit if researchers wanted a dataset to operate off of but it's not comprehensive and doesn't have access to any content behind credentials or on private networks.
Thanks for those clarifications. My question was indeed for runtime detection in the browser.
We reviewed this during our call today and don't have further question or issues. Eager to see progress on that.
I'm requesting a TAG review of Compression Dictionary Transport.
This proposal adds support for using designated previous responses as an external dictionary for HTTP responses for compression schemes that support external dictionaries (e.g. Brotli and Zstandard).
Further details:
You should also know that...
We are taking the lower-level HTTP pieces (headers, content encoding, negotiation) through the IETF HTTP working group to create a RFC. The browser-specific parts will be layered on top of that and be integrated into the HTML and Fetch specs.
We'd prefer the TAG provide feedback as (please delete all but the desired option):
💬 leave review feedback as a comment in this issue and @-notify [github usernames]