Intent to implement: reject HTTP responses with non-advertised encoding

20 views

Skip to first unread message

Eugene Kliuchnikov

unread,

Mar 13, 2017, 11:23:28 AM3/13/17

to Chromium-dev

Contact emails

eus...@chromium.org, rds...@chromium.org

Summary

Unlike Firefox, Chromium decodes HTTP responses with "Content-Encoding" not advertised in "Accept-Encoding" request header.

This might encourage web-site developers to sniff "User-Agent", for example, to send brotli-encoded content over non-secure HTTP connection.

To fix this behavior, "Accept-Encoding" header should be saved, and HttpNetworkTransaction could use it to check that response respects it.

Ongoing technical constraints

None.

Tracking bug

crbug.com/579606

Ryan Sleevi

unread,

Mar 13, 2017, 11:35:53 AM3/13/17

to Eugene Kliuchnikov, blink-dev

Moving chromium-dev to BCC (and adding net-dev as a BCC), and adding Blink-Dev

While posed as an I2I, I think this actually represents a PSA of aligning to the HTTP spec - and to our previous committments regarding our Intent to Implement: Brotli. That Chrome didn't match Content-Encoding to Accept-Encoding was a bug that only manifested when Brotli support was added, and other UAs do the right thing. While Firefox reported that they were aware of some sites beginning to UA sniff to exploit this bug, thus creating some degree of compat risk, we believe it to be trivial, especially since it involved these sites knowingly violating the spec regarding encodings, in ways that were already not cross-browser compatible.

So I think it's probably right to consider this a PSA - it's spec-aligning, it's trivial impact, and the longer we continue to ship this behaviour (e.g. to gather metrics to measure the exploitation of this bug), the greater the compatibility risks for both us and other browsers.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/ffaf3770-c82e-4ed9-9883-1340b8bcc3b5%40chromium.org.

Reply all

Reply to author

Forward

0 new messages