mnot’s blog

Design depends largely on constraints.” — Charles Eames

Monday, 4 April 2011

HTTP Standards Web

HTTP POST: IETF Prague Edition


Last week found lots of HTTP-ish folks in Prague for IETF 80. In short, the good bits:


HTTPbis had a cracker of a meeting, with three RFC2616 authors and representatives of all five major browsers in the room.

First and foremost, the Content-Disposition draft has been approved for publication as an RFC by the IESG. This is great news for interoperability, with growing browser support for the revised specification. With one critical issue scheduled for a fix in FireFox 5 — bravely announced for a June release — we’ll soon be in a place where it’s easy to have internationalised file downloads from the Web. Special thanks to Julian Reschke.

The “core” HTTPbis specifications are coming along nicely too, with just a handful of issues left after 14 drafts. We announced an intent to get to Last Call before November, and based upon the progress we made on some of our most difficult issues, that looks very doable.

Dave Crocker talked about DOSETA, a generalisation of DKIM that might be useful for signing HTTP messages. This area has had lots of interest recently, both from Red Hat’s Bill Burke and from various folks pushing JSON-based signatures at the WOES side meeting. Expect to hear more soon (or follow Dave’s work more closely on doseta-discuss).

We also heard from Patrick McManus about his efforts to improve pipelining in Mozilla. The results he’s showing are very promising; while they probably won’t make it into FF5, they should show up soon afterwards, and in the meantime you can download his patched builds to see just how fast a pipelined Web is. Make sure you give him feedback, and have a read of my related draft.

Mike Belshe gave an overview of SPDY’s progress, explaining the gains it offers, as well as how TLS and TCP hold SPDY (and HTTP) back. More on this below.

Finally, Martin Thomson talked about his proposals for communicating timeouts in HTTP for use cases like “hanging GETs” and tunneled WebSockets connections. Discussion on list and in the room seems to be leaning towards clarifying the Keep-Alive header’s use for at least some of the use cases here.

We also had updates from two related groups, HYBI and WEBSEC; see below for details.


The tumultuous HYBI Working Group — home of the WebSockets protocol — met and gave an overview of where they’re at (a good idea, considering how busy their fire-hose of a mailing list has been!). Draft -06 of the protocol seems like it’s stabilising and attracting broad implementation, although there’s still a lot of back-and-forth in discussion. Hopefully the browser implementers’ focus on schedule will concentrate the effort and produce a timely result.

HYBI also announced a transition of chairs from Joe Hildebrand (Cisco) to Gabriel Montenegro (Microsoft). While Joe is a great asset, he’s also very busy, so having someone able to devote more time to pushing HYBI along the path is a good thing, and Gabriel has been a solid, constructive contributor to the group for some time now.

From an HTTP perspective, we affirmed that WebSockets is now using HTTP Upgrade correctly, so that — at least during the handshake — it’s really speaking HTTP properly on ports 80 and 443. HTTPbis is also asking for feedback on the new text on Upgrade in part 1, to make sure we’re still well-aligned.

Note that nowhere above do I talk about whether the spec itself is useful or good; only that it doesn’t abuse HTTP too horribly. For one perspective on that, see Dave Cridland’s thoughts.


Web security continues to be a topic of much discussion. On the IETF side, the WEBSEC Working Group is working on a number of aspects, including Adam Barth’s mime sniffing draft, and Jeff Hodges’ Strict Transport Security. Some time was also given to discussing a more general framework for communicating such policy on the Web — a subject close to my heart.

A bit of time at WEBSEC was also given to discussing the “Do Not Track” proposals. Alissa Cooper from CDT did a great job explaining the different aspects of this complex issue, and the IETF likewise did a wonderful job of showing how appropriate a venue it is for high-level policy discussions. Enough said.

Heavily related to this is ongoing work in the W3C, including an upcoming Workshop on Tracking and Privacy, and a nascent Web Application Security WG that will ship CORS as well as Mozilla’s Content Security Policy.


The working group for HTTP Cookies didn’t meet, because they’re almost done. draft-ietf-httpstate-cookie-23 is in the RFC Editor queue, and gives us — for the first time — a specification of cookies as they’re actually used in the wild. Congratulations to Adam Barth, Jeff Hodges and everyone else who made this happen.

Transport Area

Application-layer folks are getting more interested in the details of the underlying transport, for a variety of reasons. In the Transport Area Open Meeting, Jim Gettys explained his discovery of Bufferbloat in detail.

Jim was followed by Mike Belshe talking in more detail about his experiences with SPDY and its interaction with TCP. In a nutshell, Mike sees two ‘taxes’ to using TCP — the cost of the initial handshake, and perverse incentives to use more than one connection. The proposes to fix these — TCP Fast Open and an increased initial congestion window — are being discussed.

Taken together, Jim and Mike’s presentations lead to an unpleasant truth… that Web folks’ focus on getting a lot of bytes to browsers as quickly as possible is colliding head-on with the gentleman’s agreement that is congestion control on the Internet. Hopefully, we can come to a compromise — e.g., using HTTP pipelining or SPDY to reduce the number of connections a browser needs, along with opening the initial congestion window in a controlled way.

Other Stuff

Non-IETF HTTP-related things are also happening, including Steve Souders’ announcement of the HTTP Archive, a way to track performance- and protocol-related metrics for popular sites over time.

Ilya Grigorik mentioned that he’s working on a SPDY implementation in Ruby.

Eric Lawrence did a deep-dive into how browsers handle Content-Length issues, and also highlighted issues with sites that don’t use persistent connections over SSL. If you don’t already subscribe to his blog, I highly recommend you do.

Finally, I’ve talked elsewhere about two new tools; the way-cool htracr and the even more amazing “ Is it RESTful?” site. Make sure you check them out if you haven’t already.

3 Comments said:

Thanks for this Mark — almost as good as being there (almost). I’m sorry I missed it.

Monday, April 4 2011 at 5:26 AM

andrew.wahbe said:

Minor point – third paragraph, I think you mean “Content-Disposition draft” not “Content-Location draft”

Tuesday, April 5 2011 at 1:17 AM