Merge branch 'main' into ErrataFix

httpwg · Feb 14, 2025 · 56ed2c8 · 56ed2c8
2 parents 9713d1a + ccd440c
commit 56ed2c8
Show file tree

Hide file tree

Showing 12 changed files with 809 additions and 134 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,15 +1,14 @@
 # Automatically generated CODEOWNERS
 # Regenerate with `make update-codeowners`
-draft-ietf-httpbis-alias-proxy-status.md tpauly@apple.com
-draft-ietf-httpbis-client-cert-field.md bcampbell@pingidentity.com mbishop@evequefou.be
-draft-ietf-httpbis-digest-headers.md robipolli@gmail.com lucaspardue.24.7@gmail.com
-draft-ietf-httpbis-message-signatures.md richanna@amazon.com ietf@justin.richer.org msporny@digitalbazaar.com
-draft-ietf-httpbis-origin-h3.md mbishop@evequefou.be
-draft-ietf-httpbis-resumable-upload.md marius@transloadit.com guoye_zhang@apple.com lucaspardue.24.7@gmail.com
+draft-ietf-httpbis-cache-groups.md mnot@mnot.net
+draft-ietf-httpbis-compression-dictionary.md pmeenan@google.com yoav.weiss@shopify.com
+draft-ietf-httpbis-connect-tcp.md ietf@bemasc.net
+draft-ietf-httpbis-no-vary-search.md d@domenic.me jbroman@chromium.org
+draft-ietf-httpbis-optimistic-upgrade.md ietf@bemasc.net
+draft-ietf-httpbis-resumable-upload.md marius@transloadit.com guoye_zhang@apple.com lucas@lucaspardue.com
 draft-ietf-httpbis-retrofit.md mnot@mnot.net
 draft-ietf-httpbis-rfc6265bis.md bingler@google.com mkwst@google.com wilander@apple.com
-draft-ietf-httpbis-rfc7838bis.md mbishop@evequefou.be mt@lowentropy.net
-draft-ietf-httpbis-safe-method-w-body.xml julian.reschke@greenbytes.de malhotrasahib@gmail.com jasnell@gmail.com
-draft-ietf-httpbis-sfbis.md mnot@mnot.net phk@varnish-cache.org
-draft-ietf-httpbis-unprompted-auth.md dschinazi.ietf@gmail.com david@guardianproject.info jonathan.hoyland@gmail.com
-draft-ietf-httpbis-variants.md mnot@mnot.net
+draft-ietf-httpbis-safe-method-w-body.xml julian.reschke@greenbytes.de malhotrasahib@gmail.com jasnell@gmail.com mbishop@evequefou.be
+draft-ietf-httpbis-secondary-server-certs.md e_gorbaty@apple.com mbishop@evequefou.be
+draft-ietf-httpbis-wrap-up.md dschinazi.ietf@gmail.com lucas@lucaspardue.com
+rfc9729.md dschinazi.ietf@gmail.com david@guardianproject.info jonathan.hoyland@gmail.com
diff --git a/.github/workflows/archive.yml b/.github/workflows/archive.yml
@@ -16,6 +16,8 @@ jobs:
   build:
     name: "Archive Issues and Pull Requests"
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
     - name: "Checkout"
       uses: actions/checkout@v4

diff --git a/.github/workflows/ghpages.yml b/.github/workflows/ghpages.yml
@@ -18,6 +18,8 @@ jobs:
   build:
     name: "Update Editor's Copy"
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
     - name: "Checkout"
       uses: actions/checkout@v4

diff --git a/.gitignore b/.gitignore
@@ -1,21 +1,53 @@
-*.redxml
-*.txt
 *.html
 *.pdf
+*.redxml
+*.swp
+*.txt
 *.upload
-.tags
 *~
-*.swp
-/*-[0-9][0-9].xml
 .refcache
+.tags
 .targets.mk
-venv/
+/*-[0-9][0-9].xml
+/.*.mk
+/.gems/
+/.refcache
+/.venv/
+/.vscode/
+/lib
+/node_modules/
+/versioned/
+Gemfile.lock
+archive.json
+draft-ietf-httpbis-*.xml
+draft-ietf-httpbis-alias-proxy-status.xml
+draft-ietf-httpbis-cache-groups.xml
+draft-ietf-httpbis-client-cert-field.xml
+draft-ietf-httpbis-compression-dictionary.xml
+draft-ietf-httpbis-connect-tcp.xml
+draft-ietf-httpbis-digest-headers.xml
+draft-ietf-httpbis-message-signatures.xml
+draft-ietf-httpbis-no-vary-search.xml
+draft-ietf-httpbis-optimistic-upgrade.xml
+draft-ietf-httpbis-origin-h3.xml
+draft-ietf-httpbis-resumable-upload.xml
+draft-ietf-httpbis-retrofit.xml
+draft-ietf-httpbis-rfc6265bis.xml
+draft-ietf-httpbis-rfc7838bis.xml
+draft-ietf-httpbis-safe-method-w-body.xml
+draft-ietf-httpbis-secondary-server-certs.xml
+draft-ietf-httpbis-sfbis.xml
+draft-ietf-httpbis-unprompted-auth.xml
+draft-ietf-httpbis-variants.xml
+draft-ietf-httpbis-wrap-up.xml
+draft-ietf-httpbis-zstd-window-size.xml
 issues.json
+lib
+node_modules//lib
+package-lock.json
 pulls.json
 report.xml
-lib
-draft-ietf-httpbis-*.xml
+rfc9729.xml
+venv/
 !draft-ietf-httpbis-safe-method-w-body.xml
 !requirements.txt
-package-lock.json
-node_modules/
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -145,4 +145,19 @@ Definitive information is in the documents listed below and other IETF BCPs. For
 - [BCP 54](https://www.rfc-editor.org/info/bcp54) (Code of Conduct)
 - [BCP 78](https://www.rfc-editor.org/info/bcp78) (Copyright)
 - [BCP 79](https://www.rfc-editor.org/info/bcp79) (Patents, Participation)
-- [https://www.ietf.org/privacy-policy/](https://www.ietf.org/privacy-policy/) (Privacy Policy)
+- [https://www.ietf.org/privacy-policy/](https://www.ietf.org/privacy-policy/) (Privacy Policy)
+
+## Working Group Information
+
+Discussion of this work occurs on the [HTTP
+Working Group mailing list](mailto:ietf-http-wg@w3.org)
+([archive](http://lists.w3.org/Archives/Public/ietf-http-wg/),
+[subscribe](ietf-http-wg-request@w3.org)).
+In addition to contributions in GitHub, you are encouraged to participate in
+discussions there.
+
+**Note**: Some working groups adopt a policy whereby substantive discussion of
+technical issues needs to occur on the mailing list.
+
+You might also like to familiarize yourself with other
+[Working Group documents](https://datatracker.ietf.org/wg/httpbis/documents/).
diff --git a/LICENSE.md b/LICENSE.md
@@ -0,0 +1,4 @@
+# License
+
+See the
+[guidelines for contributions](https://github.com/httpwg/http-extensions/blob/main/CONTRIBUTING.md).
diff --git a/Makefile b/Makefile
@@ -10,10 +10,14 @@ include $(LIBDIR)/main.mk
 $(LIBDIR)/main.mk:
 ifneq (,$(shell grep "path *= *$(LIBDIR)" .gitmodules 2>/dev/null))
 	git submodule sync
-	git submodule update $(CLONE_ARGS) --init
+	git submodule update --init
 else
-	git clone -q --depth 10 $(CLONE_ARGS) \
-	    -b main https://github.com/martinthomson/i-d-template $(LIBDIR)
+ifneq (,$(wildcard $(ID_TEMPLATE_HOME)))
+	ln -s "$(ID_TEMPLATE_HOME)" $(LIBDIR)
+else
+	git clone -q --depth 10 -b main \
+	    https://github.com/martinthomson/i-d-template $(LIBDIR)
+endif
 endif
 
 clean::

diff --git a/draft-ietf-httpbis-unprompted-auth.md → ...ive/draft-ietf-httpbis-unprompted-auth.md b/draft-ietf-httpbis-unprompted-auth.md → ...ive/draft-ietf-httpbis-unprompted-auth.md
diff --git a/draft-ietf-httpbis-optimistic-upgrade.md b/draft-ietf-httpbis-optimistic-upgrade.md
@@ -158,9 +158,9 @@ Future specifications for Upgrade Tokens should restrict their use to "GET" requ
 
 # Guidance for HTTP CONNECT
 
-In HTTP/1.1, clients that send CONNECT requests on behalf of untrusted TCP clients MUST wait for a 2xx (Successful) response before sending any TCP payload data.
+In HTTP/1.1, proxy clients that send CONNECT requests on behalf of untrusted TCP clients MUST wait for a 2xx (Successful) response before forwarding any TCP payload data.  Proxy clients that start forwarding before confirming the response status code are vulnerable to a trivial request smuggling attack ({{request-smuggling}}).
 
-To mitigate vulnerabilities from any clients that do not conform to this requirement, proxy servers MAY close the underlying connection when rejecting an HTTP/1.1 CONNECT request, without processing any further data sent to the proxy server on that connection.  Note that this behavior may impair performance, especially when returning a "407 (Proxy Authentication Required)" response.
+To mitigate the impact of such vulnerable clients, proxy servers MAY close the underlying connection when rejecting an HTTP/1.1 CONNECT request, without processing any further data on that connection.  Note that this behavior will frequently impair the performance of correctly implemented clients, especially when returning a "407 (Proxy Authentication Required)" response.  This performance loss can be be avoided by using HTTP/2 or HTTP/3, which are not vulnerable to this attack.
 
 # IANA Considerations