Hi,
This sounds reasonable.
I've just checked my experimental implementation in haproxy and I'm
indeed missing this check. There are two reasons to this, which I think
could indicate others might have done the same mistake :
- the header values are prefixed with their length so there's no need
to parse their contents before copying ;

- the reminder of the list of forbidden characters is only present in
the security consideration section of 7540 and never mentionned in
7541, while it's mostly when processing hpack that such characters
have a chance to be detected.

So at least some check would be needed on other implementations (well,
I might very well have produced the only bogus one, but I think that
overlooking this is easy).
I really don't like this, because it becomes possible for a sender to
produce special values on the other side by benefitting from the
decoding, thus evading certain filtering measures. For example, an
agent may send :

Content-Encoding: \x00\x83\x38\xa9

and the binary-aware recipient having to "encode" it as gzip would
apply base64 to "\x83\x38\xa9" and would produce :

Content-Encoding: gzip

You can apply the same principle to other fields like content-length or
other and easily cause some trouble. If you need this, at the very least
it's important to enclose the encoded value between some "rare enough"
characters to prevent such risks. Something like this for example :

Binary-Header: $b64<Y2h1bmtlZA==>$

The example above would produce :

Content-Encoding: $b64<gzip>$

That's just an example of course.
Good point.
This is really the part which needs to be verified I think.

I'm now thinking that prefixing the value with <CR><NUL> instead of <NUL>
could be more efficient : while <NUL> may translate to an end of string
on many implementations and simply result in a field silently being
processed as empty, a <CR> in the middle of a string is always an
error, unless the next character is <LF> in which case what follows is
the next header field. In case a gateway would inappropriately forward
the <CR> to HTTP/1, it would produce an invalid message, even if
truncated on the <NUL> since the line would end in <CR><CR><LF>.
I don't disagree and think that some fields could later become binary
(dates, etc). I'm just extra careful for knowing that most HTTP/1 parsers
are extremely lazy and that at least one H2 parser (the one I wrote) does
not notice the presence of <CR>, <LF> or <NUL> in values. But this one is
not yet deployed so it can be fixed. I don't know for other ones.

Cheers,
Willy

The prohibition of these characters is a Security Considerations
requirement in HTTP. It would be best to keep that fact clearly
up-front. It was not a casual / arbitrary design decision, so the
reasons for it cannot just be ignored when implementing or negotiating
extended behaviour.

So long as HTTP/1 <-> HTTP/2 gateways exist the security attacks will
remain a problem. This is not a theoretical problem either,
intermediaries are still fending off active attacks and malformed agent
messages involving these three characters in HTTP/1.x environment before
HTTP/2 mapping even gets involved.

The simple problem is that one cannot guarantee the absence of a mapping
gateway in any transaction. So it HAS to be considered by every agent
involved.
It is worth noting that base64 encoding is more efficiently encoded by
HPACK. So avoiding it is a con', not a pro'.
It is worth noting that the RFC7540 offers some benefits here. Any of
their internal traffic using the extended ability that gets leaked will
be actively rejected by RFC7540 compliant agents outside.
There is no need for this. With the SETTINGS value already negotiating
the ability HPACK simply needs to decode the wire syntax into a binary
'string' header.

Agents that comply and reject the headers will not be negotiating to
accept them. If the binary value sent in any particular message header
does not use these trouble characters there is no harm in letting it
through, so artificially forcing rejection is not beneficial here like
the RFC 7540 requirement was for default / general use.
As written that would violate RFC 7540. This requirement needs to take
the form of prohibiting sending binary headers to any peers which has
not explicitly negotiated the extension being defined.
ie, comply with RFC7540 an all connections unless explicitly
negotiated otherwise on a per-connection basis.
Of course they can. Every coding language has some form of array or
linked-list structure available.

To display these type of header in *ASCII MiME format* on the other hand
requires encoding by the display agent. HTTP/2 does not change any
requirements around display, it is concerned only with the on-wire delivery.
No. MUST NOT. RFC 7540 still applies during this pre-negotiation period.
Agents which assume capabilities not specific in HTTP/2 *will* get into
trouble eventually.
How do you plan on making it "native HTTP/2" without replacing the whole
HTTP/2 RFC *and* getting that new specification rolled out to the
non-QUIC world?

(I am Seriously interested in that answer. Many of us middleware
implementers have been pushing for UTF-8 / binary support in headers for
around 10 years already and progress has been painfully slow).

It seems to me you [like several of us] are dreaming of
HTTP/3-over-QUIC. Not HTTP/2-over-QUIC, extended or otherwise. I am very
doubtful that getting all this done before QUIC rolls out is going to be
possible - a negotiable extension is far more realistic and will allow a
testing rollout to happen before everybody in the HTTP world has to
change code for it.

Amos

As with other typed header fields (and let's be clear, binary blob is just another type), this isn't about changing HTTP/2, it's about changing HTTP. Currently, header fields in HTTP are, by definition, sequences of octets with a scoped range of valid values. If you change the allowed values, that's a change at the semantic layer, not to any given transport mapping. This is the HTTP WG; we can do that, but let's be clear what we're talking about. But we'd need to have reasonable ways of ensuring that the values are sanitized before they're passed to "legacy" HTTP consumers.

As you note, HTTP/2 and HPACK are already perfectly capable of transporting these octets. You can even Huffman-encode a binary blob if you want -- all possible values are listed in the table, though non-ASCII octets are severely disadvantaged. That's precisely what the Security Considerations says -- HTTP/2 (i.e. the TCP mapping) is capable of transporting header values that aren't valid HTTP, and it's the HTTP layer's responsibility to validate that. Obviously, if you rev HTTP to make those valid values, those checks would be modified. The HTTP/QUIC mapping is no different -- it's capable of transporting these values already, but the HTTP layer knows they're not valid.

On the whole, I can see niche situations where this might be useful, but I think it will be difficult to deploy generally. Our stacks essentially act as HTTP/1.1-to-2 intermediaries within client and server; we don't assume that the apps above our layer are HTTP/2-aware, though obviously we expose ways to take advantage of extra features. Unless we wanted to add additional header set/get APIs that supported typing, I suspect we would initially opt not to advertise this extension rather than base64-encode headers upon arrival. That's just extra work for no apparent benefit.

And if we're going to go this route and modify HTTP itself, let's have a reasonable set of types instead of just adding one at a time. 😊

-----Original Message-----
From: Piotr Sikora [mailto:***@google.com]
Sent: Monday, August 28, 2017 6:35 PM
To: HTTP Working Group <ietf-http-***@w3.org>
Cc: Craig Tiller <***@google.com>
Subject: HTTP/2: allow binary data in header field values

Hi,
as discussed with some of you in Prague, I'd like remove the restriction on CR, LF & NUL characters and allow binary data in header field values in HTTP/2.

Both HTTP/2 and HPACK can pass binary data in header field values without any issues, but RFC7540 put an artificial restriction on those characters in order to protect clients and intermediaries converting requests/responses between HTTP/2 and HTTP/1.1.

Unfortunately, this restriction forces endpoints to use base64 encoding when passing binary data in headers field values, which can easily become the CPU bottleneck.

This is especially true in multi-tier proxy deployments, like CDNs, which are connected over high-speed networks and often pass metadata via HTTP headers.

The proposal I have in mind is based on what gRPC is already doing [1], i.e.:

1. Each peer announces that it accepts binary data via HTTP/2 SETTINGS option,

2. Binary header field values are prefixed with NUL byte (0x00), so that binary value 0xFF is encoded as a header field value 0x00 0xFF.
This allows binary-aware peers to differentiate between binary headers and VCHAR headers. In theory, this should also protect peers unaware of this extension from ever accepting such headers, since RFC7540 requires that requests/responses with headers containing NUL byte
(0x00) MUST be treated as malformed and rejected, but I'm not sure if that's really enforced.

3. Binary-aware peers MUST base64 encode binary header field values when forwarding them to peers unaware of this extension and/or when converting to HTTP/1.1.

4. Binary header field values cannot be concatenated, because there is no delimiter that we can use.

NOTE: This proposal implies that endpoints SHOULD NOT use binary header field values before receiving HTTP/2 SETTINGS from the peer.
However, since, at least in theory, all RFC7540-compliant peers unaware of this extension MUST reject requests with headers containing NUL byte (0x00) with a stream error, endpoints could opportunistically use binary header field values on the first flight and assume that if peer isn't aware of this extension, then it will reject the request, which can be subsequently retried with base64 encoded header field values.

I'd like to hear if anyone strongly disagrees with this proposal and/or the binary data in header field values in general. Otherwise, I'm going to write a draft and hopefully we can standardize this before HTTP/2-over-QUIC, so that binary header field values can be supported there natively and not via extension.

[1] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgrpc%2Fproposal%2Fblob%2Fmaster%2FG1-true-binary-metadata.md&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C3c1991f44f854de0c52e08d4ee7eaa87%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636395675174515196&sdata=dd2q2yYa%2FeBFZvJIvRsJhOjriWgrHPrxnRxmMFvjxss%3D&reserved=0

How does this interact with
https://tools.ietf.org/html/draft-ietf-httpbis-header-structure-01?

Jeffrey