Skip to content

Add support for compression dictionary transport #1854

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pmeenan wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add support for compression dictionary transport #1854

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0b960d9
Added compression-dictionary destination
pmeenan Dec 16, 2025
b8e46ea
Added processing of the use-as-dictionary response header
pmeenan Dec 16, 2025
9d71627
Added support for dictionary matching
pmeenan Dec 16, 2025
18affa8
Added "dcb" and "dcz" decoding
pmeenan Dec 16, 2025
fd93fd1
Fixed build errors
pmeenan Dec 16, 2025
1d97a05
Switched compression dictionary reference to use the (pending) RFC nu…
pmeenan Dec 16, 2025
e8ce404
Add no-cors dictionary support with Cross-Origin-Resource-Policy opt-in
pmeenan Dec 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
153 changes: 150 additions & 3 deletions fetch.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,9 @@ urlPrefix:https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-layered-cooki
"HTTP-CACHING": {
"aliasOf": "RFC9111"
},
"HTTP-COMPRESSION-DICTIONARIES": {
"aliasOf": "RFC9842"
},
Comment on lines +84 to +86
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can just reference the RFC number directly. No need for an alias.

"HTTP1": {
"aliasOf": "RFC9112"
},
Expand Down Expand Up @@ -1802,6 +1805,7 @@ is "<code>all</code>" or "<code>none</code>". Unless stated otherwise it is "<co
<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-initiator>initiator</dfn>, which is
the empty string,
"<code>compression-dictionary</code>",
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need a distinct initiator if we also have a distinct destination?

"<code>download</code>",
"<code>imageset</code>",
"<code>manifest</code>",
Expand All @@ -1816,6 +1820,7 @@ device to assist defining CSP and Mixed Content. It is not exposed to JavaScript
<p>A <dfn export>destination type</dfn> is one of:
the empty string,
"<code>audio</code>",
"<code>compression-dictionary</code>",
"<code>audioworklet</code>",
"<code>document</code>",
"<code>embed</code>",
Expand Down Expand Up @@ -1960,6 +1965,11 @@ not always relevant and might require different behavior.
<td>"<code>video</code>"
<td><code>media-src</code>
<td>HTML's <code>&lt;video></code> element
<tr>
<td>"<code>compression-dictionary</code>"
<td>"<code>compression-dictionary</code>"
<td><code>default-src</code>
<td>HTML's <code>&lt;link rel=compression-dictionary&gt;</code>
<tr>
<td>"<code>download</code>"
<td>""
Expand Down Expand Up @@ -3274,6 +3284,22 @@ or an <a>implementation-defined</a> value.
</div>


<h3 id=compression-dictionary-cache-partitions>Compression-dictionary cache partitions</h3>

<div algorithm>
<p>To <dfn>determine the compression-dictionary cache partition</dfn>, given a <a for=/>request</a> <var>request</var>:

<ol>
<li><p>Let <var>key</var> be the result of <a for=request>determining the network partition key</a>
given <var>request</var>.

<li><p>If <var>key</var> is null, then return null.

<li><p>Return the unique compression-dictionary cache associated with <var>key</var>. [[!HTTP-COMPRESSION-DICTIONARIES]]
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there PRs against Storage and Clear-Site-Data about clearing this cache? It would be good if those were linked from the commit message.

</ol>
</div>


<h3 id=port-blocking>Port blocking</h3>

<p class=note>New protocols can avoid the need for blocking ports by negotiating the protocol
Expand Down Expand Up @@ -6304,8 +6330,9 @@ run these steps:
<li><p>If <var>httpRequest</var>'s <a for=request>cache mode</a> is
"<code>only-if-cached</code>", then return a <a>network error</a>.

<li><p>Let <var>forwardResponse</var> be the result of running <a>HTTP-network fetch</a> given
<var>httpFetchParams</var>, <var>includeCredentials</var>, and <var>isNewConnectionFetch</var>.
<li><p>Let <var>forwardResponse</var> be the result of running
<a>HTTP-network compression-dictionary fetch</a> given <var>httpFetchParams</var>,
<var>includeCredentials</var>, and <var>isNewConnectionFetch</var>.

<li><p>If <var>httpRequest</var>'s <a for=request>method</a> is <a>unsafe</a> and
<var>forwardResponse</var>'s <a for=response>status</a> is in the range 200 to 399, inclusive,
Expand Down Expand Up @@ -6454,12 +6481,131 @@ run these steps:
<li><p>If <var>isAuthenticationFetch</var> is true, then create an <a>authentication entry</a> for
<var>request</var> and the given realm.

<li>
<p>If <var>response</var>'s <a for=response>header list</a>
<a for="header list">contains</a> `<code>Use-As-Dictionary</code>`, then:
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<a for="header list">contains</a> `<code>Use-As-Dictionary</code>`, then:
<a for="header list">contains</a> `<code>Use-As-Dictionary</code>`:

<!-- This is defined in [[!HTTP-COMPRESSION-DICTIONARIES]] -->

<ol>
<li><p>Let <var>dictionaryValue</var> be the result of
<a for="header list">getting a structured field value</a> given `<code>Use-As-Dictionary</code>`,
"<code>dictionary</code>", and <var>response</var>'s <a for=response>header list</a>.

<li><p>If <var>dictionaryValue</var> is null or <var>dictionaryValue</var>["<code>match</code>"]
does not <a for=map>exist</a>, then return <var>response</var>.

<li><p>Let <var>pattern</var> be the result of creating a URL pattern from
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"creating a URL pattern" needs some kind of link to a definition.

<var>dictionaryValue</var>["<code>match</code>"] and <var>request</var>'s
<a for=request>current URL</a>.

<li><p>If <var>pattern</var> is failure or <var>pattern</var> has regexp groups, then return
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"has regexp groups" needs a definition.

<var>response</var>.

<li><p>Let <var>compressionDictionaryCache</var> be the result of
<a>determining the compression-dictionary cache partition</a> given <var>request</var>.

<li><p>If <var>compressionDictionaryCache</var> is null, then return <var>response</var>.
Comment on lines +6504 to +6507
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should do this before creating a URL pattern. This seems less expensive.


<li><p>Let <var>corpPolicy</var> be the result of <a for="header list">getting</a>
`<a http-header><code>Cross-Origin-Resource-Policy</code></a>` from <var>response</var>'s
<a for=response>header list</a>.

<li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>opaque</code>" and
<var>corpPolicy</var> is not `<code>cross-origin</code>`, then return <var>response</var>.
Comment on lines +6509 to +6514
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't good enough. We want corpPolicy to be a good value across redirects. We should have tests for that as well.


<li><p>Let <var>expirationTime</var> be the time at which the <var>response</var> becomes stale.
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs more links to definitions.


<li><p>If <var>expirationTime</var> is not in the future, then return <var>response</var>.

<li><p>Store <var>response</var> in <var>compressionDictionaryCache</var> with its associated
<var>dictionaryValue</var> and <var>expirationTime</var>.
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we also store pattern somewhere?

</ol>

<li><p>Return <var>response</var>. <span class=note>Typically <var>response</var>'s
<a for=response>body</a>'s <a for=body>stream</a> is still being enqueued to after
returning.</span>
</ol>
</div>

<h3 id=http-network-compression-dictionary-fetch>HTTP-network compression-dictionary fetch</h3>

<div algorithm>
<p>To <dfn id=concept-http-network-compression-dictionary-fetch>HTTP-network compression-dictionary fetch</dfn>,
given a <a for=/>fetch params</a> <var>fetchParams</var>, an optional boolean
<var>includeCredentials</var> (default false), and an optional boolean <var>forceNewConnection</var>
(default false), run these steps:

<ol>
<li><p>Let <var>request</var> be <var>fetchParams</var>'s <a for="fetch params">request</a>.

<li><p>If <var>request</var>'s <a for=request>mode</a> is "<code>no-cors</code>", then return the
result of running <a>HTTP-network fetch</a> given <var>fetchParams</var>,
<var>includeCredentials</var>, and <var>forceNewConnection</var>.

<li><p>If the user agent is configured to block cookies for <var>request</var>, then return the
result of running <a>HTTP-network fetch</a> given <var>fetchParams</var>,
<var>includeCredentials</var>, and <var>forceNewConnection</var>.
Comment on lines +6545 to +6547
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand this. The dictionary is partitioned so how is it different from the HTTP cache?

Copy link
Contributor Author

@pmeenan pmeenan Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Use-As-Dictionary response header can attach an arbitrary ID to arbitrary requests from the same origin (that match a given pattern) without having to access the underlying response. This allows non-executable responses to attach a tracking ID to an origin that behaves like a cookie without having to execute code (image-only origins for example).

To keep things consistent with dev expectations and CSP, the security and privacy teams requested that they also be treated as cookies and not be allowed in situations where cookies would not have been allowed.


<li><p>Let <var>compressionDictionaryCache</var> be the result of
<a>determining the compression-dictionary cache partition</a> given <var>request</var>.

<li><p>If <var>compressionDictionaryCache</var> is null, then return the result of running
<a>HTTP-network fetch</a> given <var>fetchParams</var>, <var>includeCredentials</var>, and
<var>forceNewConnection</var>.

<li><p>Let <var>bestMatch</var> be the result of finding the best matching dictionary in
<var>compressionDictionaryCache</var> for <var>request</var> as defined in
[[!HTTP-COMPRESSION-DICTIONARIES]].

<li><p>If <var>bestMatch</var> is null, then return the result of running <a>HTTP-network fetch</a>
given <var>fetchParams</var>, <var>includeCredentials</var>, and <var>forceNewConnection</var>.

<li><p>Add the `<code>Available-Dictionary</code>` and `<code>Dictionary-ID</code>`
(if applicable) headers to <var>request</var> using <var>bestMatch</var> as defined in
[[!HTTP-COMPRESSION-DICTIONARIES]].

<li><p><a for="header list">Combine</a> (`<code>Accept-Encoding</code>`, `<code>dcb</code>`)
in <var>request</var>'s <a for=request>header list</a>.

<li><p><a for="header list">Combine</a> (`<code>Accept-Encoding</code>`, `<code>dcz</code>`)
in <var>request</var>'s <a for=request>header list</a>.
Comment on lines +6567 to +6571
Copy link
Member

@annevk annevk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we doing this even if web developers set these headers? That seems rather sketchy.


<li><p>Let <var>response</var> be the result of running <a>HTTP-network fetch</a> given
<var>fetchParams</var>, <var>includeCredentials</var>, and <var>forceNewConnection</var>.

<li><p>Let <var>codings</var> be the result of <a>extracting header list values</a> given
`<code>Content-Encoding</code>` and <var>response</var>'s <a for=response>header list</a>.

<li><p>If <var>codings</var> is null or does not contain `<code>dcb</code>` or `<code>dcz</code>`,
then return <var>response</var>.

<li><p>Let <var>corpPolicy</var> be the result of <a for="header list">getting</a>
`<a http-header><code>Cross-Origin-Resource-Policy</code></a>` from <var>response</var>'s
<a for=response>header list</a>.

<li><p>If <var>response</var>'s <a for=response>type</a> is "<code>opaque</code>" and
<var>corpPolicy</var> is not `<code>cross-origin</code>`, then return a
<a>network error</a>.

<li><p>Let <var>availableDictionaryHash</var> be the result of
<a>getting a structured field value</a> given `<code>Available-Dictionary</code>`,
"<code>bytestring</code>", and <var>request</var>'s <a for=request>header list</a>.

<li><p>Let <var>newBody</var> be a new <a for=/>body</a> whose <a for=body>stream</a> is the
result of transforming <var>response</var>'s <a for=response>body</a>'s <a for=body>stream</a>
with an algorithm that verifies that the dictionary hash in the stream matches
<var>availableDictionaryHash</var> and decodes the rest of the stream with the applicable
algorithm as defined in [[!HTTP-COMPRESSION-DICTIONARIES]]. If verification or decoding fails,
the transformed stream must error.

<li><p>Set <var>response</var>'s <a for=response>body</a> to <var>newBody</var>.

<li><p><a>Delete</a> `<code>Content-Encoding</code>` from <var>response</var>'s
<a for=response>header list</a>.

<li><p>Return <var>response</var>.
</ol>
</div>

<h3 id=http-network-fetch>HTTP-network fetch</h3>

Expand Down Expand Up @@ -6531,6 +6677,7 @@ optional boolean <var>forceNewConnection</var> (default false), run these steps:

<ul>
<li><p>Follow the relevant requirements from HTTP. [[!HTTP]] [[!HTTP-CACHING]]
[[!HTTP-COMPRESSION-DICTIONARIES]]

<li>
<p>If <var>request</var>'s <a for=request>body</a> is non-null, and <var>request</var>'s
Expand Down Expand Up @@ -8387,7 +8534,7 @@ dictionary RequestInit {
any window; // can only be set to null
};

enum RequestDestination { "", "audio", "audioworklet", "document", "embed", "font", "frame", "iframe", "image", "json", "manifest", "object", "paintworklet", "report", "script", "sharedworker", "style", "track", "video", "worker", "xslt" };
enum RequestDestination { "", "audio", "audioworklet", "compression-dictionary", "document", "embed", "font", "frame", "iframe", "image", "json", "manifest", "object", "paintworklet", "report", "script", "sharedworker", "style", "track", "video", "worker", "xslt" };
enum RequestMode { "navigate", "same-origin", "no-cors", "cors" };
enum RequestCredentials { "omit", "same-origin", "include" };
enum RequestCache { "default", "no-store", "reload", "no-cache", "force-cache", "only-if-cached" };
Expand Down