Either way, a brotli encoded HTTP body will cause several issues with proxies and middleboxes, multiple of which have been mentioned in by Cloudflare in their email response.
HTTP is TRANSFER, not TRANSPORT. It is an OSI layer 7 protocol. Transport compression (in TLS) occurs at a different layer (OSI layer 5, the session layer).
Of course i have heard of content encoding - i literally stated it in nearly all of my comments to you.
I also said there is a difference between TRANSFER-encoding (which is a choice of middleboxes) and CONTENT-encoding (which is a choice of client) - and that its not clear from the author which they were talking about.
> Either way, a brotli encoded HTTP body will cause several issues with proxies and middleboxes
Lets be clear - by proxies, you mean non-transparent proxies, and by middleboxes you are talking about deep packet inspection, because nothing else could possibly have a problem with the content encoding as they wouldn't even be looking at it.
This isnt cloudflares "problem" to fix.
Im of the opinion that this was a BREACH mitigation and cloudflare accidentaly applied it to http instead of https, as given their position of trust, they surely wouldnt be assisting other actors with content filtering/inspection...
It is very clear, no reason to be rude.
>HTTP is TRANSFER, not TRANSPORT. It is an OSI layer 7 protocol. Transport compression (in TLS) occurs at a different layer (OSI layer 5, the session layer).
People still believe that the world can be neatly divided into 7 to 8 boxes? Incredible (spoiler alert, modern HTTP in form of HTTP/3 is also Transport and Transfer, OSI Model is outdated). In a more serious maner, this is pendantic at best, HTTP's Content-Encoding is a transport compression, plain and simple, unless you worship the things that OSI made (in which case, have fun with X.200 I guess).
>Lets be clear - by proxies, you mean non-transparent proxies, and by middleboxes you are talking about deep packet inspection, because nothing else could possibly have a problem with the content encoding as they wouldn't even be looking at it.
No, I'm talking about things like caching proxies like they are in common use in places that are bandwidth starved or in literally any serious corporate setting.
And yes, this is very much Cloudflare's problem to fix, because the very people that pay them to be their CDN are the people who deploy those middle boxes that break everything. These aren't "deep packet inspection", most of the times it's a forked and patched Squid Proxy.
Squid Proxy very much looks at the encoding because you can in fact configure it to decompress content or compress content regardless of what the server actually sent as well as saving compressed contents to disk.
As other people in this post have pointed out, if you even allow Brotli over HTTP, a lot of middleboxes will serve this brotli compressed content to all clients, regardless of compatibility. Even if you set Vary: Content Encoding.
If Cloudflare allowed this to break then A) paying customers would tell them it's broken and to fix it and B) they'd loose traffic from people unwilling to surf on cloudflare through their proxy.
>Im of the opinion that this was a BREACH mitigation and cloudflare accidentaly applied it to http instead of https, as given their position of trust, they surely wouldnt be assisting other actors with content filtering/inspection...
That seems very far fetched indeed, in which case I hope you have proof that this is a mitigation for BREACH applied to plaintext HTTP?
Its not - feel free to quote a single line from that article that talks about whether they are talking about transfer encoding or content encoding.
Im not sure what you find rude about it? The caps were for emphasis. No offense intended...
> People still believe that the world can be neatly divided into 7 to 8 boxes?
You are the one wanting to redefine what transport means.
> the very people that pay them to be their CDN are the people who deploy those middle boxes that break everything
Brotli compression is a switch in CF. You can turn it on and off. Default on for free/pro and off for business/enterprise.
Further digging into CFs behaviour reveals: "The Accept-Encoding header is not respected and will be removed.". It appears they decide what to compress based on UA. Again, this doesnt sound like any upstream middlebox protection, as they strip the header anyway - i.e. it never gets forwarded to origin, so its got nothing to do with upstream provider.
> Squid Proxy very much looks at the encoding
Point me at the issue in squid where it cant handle an unknown encoding.
> I hope you have proof that this is a mitigation for BREACH applied to plaintext HTTP
The primary mitigation for BREACH is to disable content-encoding when using TLS. As I mentioned, it could be they have applied this mitigation in reverse, to http instead of https. http://www.breachattack.com/#mitigations
