Include custom request/response headers in reports #96
Conversation
The new `request_headers` and `response_headers` policy fields allow you to instruct the user agent to include the values of arbitrary request and response headers when creating a NEL report about a request. Issue w3c#93
|
The main open question I have about this is whether there are any request or response headers that we have to prohibit for security or privacy reasons. I don't think we do, but I'd like to hear other people's opinions, too. My reasoning: a NEL report is only supposed to contain information that the server would already have visibility into. Since the server can always see every request header sent by the user agent, and has full control over which response headers it sends back, then there isn't any new information that we could leak to the server owner using this mechanism. To make sure that we handle the kinds of attacks mentioned in #74, we make sure to clear out any custom headers when downgrading a report (which happens when we have a policy for a particular domain, but can't verify that the domain owner is the same as the server owner). |
dcreager
requested review from
AloisReitbauer,
cvazac,
igrigorik and
yoavweiss
|
Adding several reviewers who are participating in the discussion on w3c/trace-context#69; please feel free to add others! |
index.html
Outdated
| end user request, and uses a distributed tracing framework to correlate | ||
| events about all of these requests together. The tracing framework | ||
| relies on the browser generating a unique trace ID for each outgoing | ||
| request, placing it in the request's <code>TraceParent</code> header. |
There was a problem hiding this comment.
This bit assumes the browser supports such a thing, but that's not the case today, nor is it clear where / how that will be defined. Should we omit this for now? If we want to keep this, I'd propose pulling this content out into a non-normative note, with a link to relevant discussion / WIP spec that attempts to defines this.
There was a problem hiding this comment.
There was also confusion at TPAC about this — consensus was to discuss other use cases (and possibly remove/move this one as you suggest) to clarify that this feature is not specific to Distributed Tracing.
There was a problem hiding this comment.
Changed the example to talk about cache validation (ETag and If-None-Match) instead.
index.html
Outdated
| data-lt="policy request headers">request headers</dfn> and a list of <dfn | ||
| data-lt-noDefault data-lt="policy response headers">response | ||
| headers</dfn>, each of which is a list of | ||
| header names. |
There was a problem hiding this comment.
To be consistent with IETF nomenclature and be more precise, let's use "header field names" throughout?
There was a problem hiding this comment.
I was following Fetch, which uses "header name". (Though I should link this to the fetch definition)
index.html
Outdated
|
|
||
| <p> | ||
| The OPTIONAL <dfn><code>response_headers</code></dfn> member defines the | ||
| list of <a data-lt="policy response headers">response headers</a> that |
There was a problem hiding this comment.
Is it worth clarifying that you intend to append both header field name and value in these reports? Ditto for both request and response.
|
Re, security / privacy and exposing headers: I believe your reasoning makes sense. The server would see all these headers already, so we shouldn't be exposing anything new, short of allowing said origin to delegate delivery to alternate reporting endpoint. That said, I'd love for @mikewest to sanity check before we land this. |
We discussed this at TPAC today and the consensus was that this should be fine from a security/privacy standpoint. |
index.html
Outdated
| data-lt="policy request headers">request headers</dfn> and a list of <dfn | ||
| data-lt-noDefault data-lt="policy response headers">response | ||
| headers</dfn>, each of which is a list of | ||
| header names. |
There was a problem hiding this comment.
I was following Fetch, which uses "header name". (Though I should link this to the fetch definition)
index.html
Outdated
|
|
||
| <p> | ||
| The OPTIONAL <dfn><code>response_headers</code></dfn> member defines the | ||
| list of <a data-lt="policy response headers">response headers</a> that |
index.html
Outdated
| end user request, and uses a distributed tracing framework to correlate | ||
| events about all of these requests together. The tracing framework | ||
| relies on the browser generating a unique trace ID for each outgoing | ||
| request, placing it in the request's <code>TraceParent</code> header. |
There was a problem hiding this comment.
Changed the example to talk about cache validation (ETag and If-None-Match) instead.
|
Thanks Ilya! Any other comments/questions before we merge this? |
|
Looks good from this end. |
The new
request_headersandresponse_headerspolicy fields allow you to instruct the user agent to include the values of arbitrary request and response headers when creating a NEL report about a request.Issue #93