HTTP Working Group Materials

IETF125 HTTP Working Group Minutes

Other Topics

HTTP Redirect Headers

• Presenter: Dick Hardt
• Discussion: The proposal introduces headers (Redirect-Query, Redirect-Origin, Redirect-Path) to move sensitive parameters (like OAuth codes) out of the URL during redirects.
• Feedback: Martin Thomson and David Schinazi expressed skepticism, noting that moving bits to headers doesn’t necessarily prevent access by malicious browser extensions. Mark Nottingham highlighted tracking vector concerns. There was a general sense that this work might be better suited for the OAuth WG or WHATWG.

HTTP Signature-key Header

• Presenter: Dick Hardt
• Discussion: This proposal defines a way to carry public keys within HTTP messages for use with HTTP Message Signatures. Dick Hardt highlighted use cases for mobile app attestation and ephemeral keys.
• Feedback: David Schinazi raised concerns regarding the “alg: none” type vulnerability where a receiver might trust a key provided in the header without verification. Martin Thomson found the design overly complex but acknowledged the validity of the session-binding use cases.

Preliminary Request Denied

• Presenter: Mark Nottingham
• Draft: draft-nottingham-httpbis-preliminary-request-denied
• Discussion: Servers currently use 503 status codes to deny speculative prefetches (e.g., those triggered by Sec-Purpose: prefetch), which can alarm operational monitoring teams. The draft proposes a new status code (e.g., 4xx “Preliminary Request Denied” or “Purpose Declined”) to disambiguate these denials.
• Feedback: There was strong support for adoption from Yoav Weiss, Nidhi Jaju, Lucas Pardue, and Guoye Zhang.

Unbound DATA for CONNECT in HTTP/3

• Presenter: Yaroslav Rosomakho
• Discussion: The proposal introduces an Unbound-DATA frame for HTTP/3 CONNECT requests. Once sent, the remainder of the QUIC stream is treated as raw data without further HTTP framing, reducing overhead and complexity for high-performance proxies.
• Feedback: Benjamin Schwartz questioned the need to mix standard DATA frames and Unbound DATA, while David Schinazi argued that allowing both is simpler for implementation state machines.

Active Drafts

Note that Connect-TCP was presented before Unbound DATA

CONNECT-TCP

• Presenter: Benjamin Schwartz
• Draft: draft-ietf-httpbis-connect-tcp
• Discussion: The group discussed a conflict between Proxy-Status trailers and the CONNECT method, as HTTP/2 and HTTP/3 generally prohibit trailers on CONNECT streams.
• Feedback: Mike Bishop, David Schinazi, and others argued against extending CONNECT to allow trailers. The consensus was to remove the trailer text from the draft and adhere to existing protocol restrictions.

Resumable Uploads

• Presenter: Guoye Zhang
• Draft: draft-ietf-httpbis-resumable-upload
• Discussion: Focus was on client retry behavior and the retrieval of lost responses after an upload is complete.
• Feedback: Martin Thomson recommended keeping the retrieval of lost responses out of scope to avoid delaying the draft. The authors agreed to move toward finishing the draft by summer with non-normative guidance on retries.

HTTP Wrap-up Capsule

• Discussion: David Schinazi noted a lack of immediate personal use cases for the draft and suggested parking it. However, Yaroslav Rosomakho and Tommy Pauly expressed interest in implementing it for proxy use cases.
• Decision: The draft will remain active. Yaroslav Rosomakho may join as an author to help drive the work forward with a constrained scope.

Secondary Certificate Authentication

• Status: This work has languished. The chairs will contact the authors to determine if there is interest in continuing or if additional authorial help is required.

Related Work

MOQPACK

• Presenter: Alan Frindell
• Discussion: MoQ requires header compression for parameters but operates over WebTransport (lacking transport stream IDs). MOQPACK reuses QPACK’s synchronization logic but removes Huffman encoding and redefines static table references to use integer keys.
• Feedback: Martin Thomson suggested that while the synchronization concepts of QPACK (RFC 9204) are valuable, the implementation should use MoQ varints and avoid literal reuse of the QPACK spec text due to semantic differences.