I have tested a few browsers (namely firefox, edge, chrome and chromium, in their mobile and desktop versions) and found that each of them sent the following accept-encoding header value: gzip, deflate, br when performing a request.
According to the doc, this header field consists of a list of encodings supported by the browser, in order of preference. What surprises me is that brotli (br) is listed last, which means that it is less likely to be the selected algorithm for content-encoding than gzip even though it should achieve a better compression ratio.
Is there a specific reason as to why browser tends to prefer gzip over brotli ?
I am not seeing anywhere in the specifications that the ordering has any meaning. To the contrary, I see that a preference can only be expressed by providing quality weights for the encoding, and that providing such preferences from the client side is discouraged. It is up to the server to pick among the choices that the client can accept, however it likes.
Related
I'd like to specify a hash to my CSP of an allowed font.
Currently my default-src is none, then for font-src I have 'self'.
My font is currently included as data, like so: "data:font/ttf;base64,AAEAAAARAQ..."
Instead of just adding data: to my font-src, I'd like add the hash. I'm not sure if this is possible, or how to properly do it. I've taken the sha256 hash of "data:font/ttf;base64,AAEAAAARAQ..." and included it as 'sha256-asldfkj' in my font-src, but that did not work.
Any insight would be greatly appreciated!
1). 'hash-value' kind of 'sha256-he03geRc75f', 'sha384-nd78ro9==' etc. are applied to the inline scripts and inline styles only, see the second "Note" to para 5 of CSP3 spec.
2). CSP3 spec did extend hashes usage to external scripts (but Firefox still have a bug with this). Note in this case you have to use integrity= attribute in the tag.
Therefore hashes are not applicable to fonts because of para 1) above (plus, you probably forgot to use the integrity= attribute).
The data:-URL is considered as URL to external resource, not as inline. Therefore hashes are not applicable because of para 2) above too.
Note: The 'hash-value' is supported to allow external scripts with data:-urls in Chrome.
I was searching about something on Git when I noticed that in the query string, there's a parameter utf8 and its value is ✓! Not utf8=yes or utf8=true.
The full URL is following in Chrome and Firefox:
https://github.com/Modernizr/Modernizr/search?utf8=✓&q=browser&type=
But following in IE:
https://github.com/Modernizr/Modernizr/search?utf8=%E2%9C%93&q=browser&type=
So it seems to be a way of detecting the encoding scheme for the URL, but does anyone know for sure? Also, aren't there any simpler ways of doing this?
From a StackExchange question:
By default, older versions of IE (<=8) will submit form data in Latin-1 encoding if possible. By including a character that can't be expressed in Latin-1, IE is forced to use UTF-8 encoding for its form submissions, which simplifies various backend processes, for example database persistence.
If the parameter was instead utf8=true then this wouldn't trigger the UTF-8 encoding in these browsers.
This is a hack/feature of Rails (which Github is built with) to force IE to submit UTF-8 text.
It's a feature of Rails (which GitHub is built with), although it's not specific to Rails.
I have an old style ISAPI filter which intercepts SF_NOTIFY_SEND_RESPONSE and changes the Content-Type to / and sets Content-Encoding to empty string. It happens when the response body is smaller than some threshold and its done for compression cancelation. So far it works but I have two concerns.
Is this the right way to do what I've done from technical point of view?
Could Content-Type altering be potentially dangerous?
Looks like setting Content-Encoding to empty string is enough, this way you dont have to deal with mime-type changes which can be potentially dangerous
Is there any data regarding how browsers actually support rest http verbs (especially PUT, DELETE). This question is mostly motivated by the fact that many sources (such as this stackoverflow answer) inform that most browsers don't suport PUT and DELETE but don't say which.
Rails solves this using a patch on the client, and reversing the patch on the server, but I wonder, for instance, which browsers wouldn't need such hack.
When in doubt, ask Anne:
http://annevankesteren.nl/2007/10/http-method-support
It's a couple of years old, but it gives a clean bill of health to PUT and DELETE, but it also tries different cases of more obscure verbs like TRACE and PROPFIND:
Van Kesteren tested Firefox 3, Opera 9.5 and Internet Explorer 7, a mix of pre-release and releases. GET and POST worked as expected, and all supported the standard set of http methods from RFC 2616. There are some casing issues, so you should try to stick with uppercase always; TRACE and OPTIONS are edge cases with problems found in Firefox and Opera, respectively. CONNECT and TRACE and SEARCH are problematic for IE. Bear in mind that this was written in 2007 so YMMV.
I think the whole confusion over browsers not supporting other than GET and POST stems from the fact that the HTML specification lists only these two in the HTML <form> element:
The method attribute of the FORM element specifies the HTTP method used to send the form to the processing agent. This attribute may take two values:
get: With the HTTP "get" method, the form data set is appended to the URI specified by the action attribute (with a question-mark ("?") as separator) and this new URI is sent to the processing agent.
post: With the HTTP "post" method, the form data set is included in the body of the form and sent to the processing agent.
This is the reason why browsers only support GET and POST natively in HTML; since the standard says so.
The current (January 2014) XMLHttpRequest specification on the other hand states explicitly that request methods should be allowed through with some exceptions (CONNECT, TRACE or TRACK), and that RFC2616 methods should be uppercased:
\6. If method is a case-insensitive match for CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, TRACE, or TRACK, subtract 0x20 from each byte in the range 0x61 (ASCII a) to 0x7A (ASCII z).
If it does not match any of the above, it is passed through literally, including in the final request.
EDIT Another source that has come to more or less the same conclusion: That XMLHttpRequest supports PUT and DELETE: http://jshirley.vox.com/library/post/xmlhttprequest-and-rest.html (warning, broken link as of May 2014).
EDIT The question has been asked before of course, but the two year old answers are still valid.
EDIT Short resume of Anne van Kesteren's page from 2007, and added section on HTML vs XMLHttpRequest
See the PutDeleteSupport page of the Atom Wiki. You might be interested in browsing other Atom Wiki pages related to HTTP.
I have been reading about how to build plug-ins and this "MIME type" keeps getting discussed in it. I have tried to look into it and know that it is Multipurpose Internet Mail Extensions (MIME) but no suitable explanation of how it relates to browser plug-ins, as in what I need to know about it for building plug-ins, is provided, please explain in clear and simple words. What is it? Why do plug-ins have a MIME type?
A MIME type is a label used to identify a type of data. It is used so software can know how to handle the data. It serves the same purpose on the Internet that file extensions do on Microsoft Windows.
So if a server says "This is text/html" the client can go "Ah, this is an HTML document, I can render that internally", while if the server says "This is application/pdf" the client can go "Ah, I need to launch the FoxIt PDF Reader plugin that the user has installed and that has registered itself as the application/pdf handler."
You'll most commonly find them in the headers of HTTP messages (to describe the content that an HTTP server is responding with or the formatting of the data that is being POSTed in a request) and in email headers (to describe the message format and attachments).
MIME stands for Multi-purpose Internet Mail Extensions. MIME types form a standard way of classifying file types on the Internet. Internet programs such as Web servers and browsers all have a list of MIME types, so that they can transfer files of the same type in the same way, no matter what operating system they are working in.
A MIME type has two parts: a type and a subtype. They are separated by a slash (/). For example, the MIME type for Microsoft Word files is application and the subtype is msword. Together, the complete MIME type is application/msword.
Although there is a complete list of MIME types, it does not list the extensions associated with the files, nor a description of the file type. This means that if you want to find the MIME type for a certain kind of file, it can be difficult. Sometimes you have to look through the list and make a guess as to the MIME type of the file you are concerned with.
MIME stands for Multipurpose Internet Mail Extensions. It's a way of identifying files on the Internet according to their nature and format.
For example, using the Content-type header value defined in a HTTP response, the browser can open the file with the proper extension/plugin.
Internet Media Type (also Content-type) is the same as a MIME type. MIME types were originally created for emails sent using the SMTP protocol. Nowadays, this standard is used in a lot of other protocols, hence the new naming convention "Internet Media Type".
A MIME type is a string identifier composed of two parts: a type and a subtype.
The "type" refers to a logical grouping of many MIME types that are closely related to each other; it's no more than a high level category.
"subtypes" are specific to one file type within the "type".
The x- prefix of a MIME subtype simply means that it's non-standard.
The vnd prefix means that the MIME value is vendor specific.
Source
Explanation by analogy
Scenario 1:
Imagine someone sent you this letter:
ഹായ്, നിങ്ങൾക്ക് എങ്ങനെയുണ്ട്? ബി.ജെ.പി പാർട്ടിയുടെ അകത്തുള്ളവർ നടത്തിയ ഏറ്റവും പുതിയ റിപ്പോർട്ട്/ കൈക്കൂലി എന്താണ്?
What does it mean? Consider the steps involved:
First, identify the language.....(Is it Tamil?)....identifying the language takes a lot of computational energy: are you going to check all the languages in the world?;
You can only decode, after you identify the language.
Scenario 2:
Language: Malayalam (see translation link) ഹായ്, നിങ്ങൾക്ക് എങ്ങനെയുണ്ട്? ബി.ജെ.പി പാർട്ടിയുടെ അകത്തുള്ളവർ നടത്തിയ ഏറ്റവും പുതിയ റിപ്പോർട്ട്/ കൈക്കൂലി എന്താണ്?
Now, the language is identified up-front (malayalam, not tamil), and is written on the letter. Half the work is done, and you can proceed to decoding it.
Tying the analogy back in with HTML
Because there are different types of data formats, sent over the internet: specifying the data type up front would allow the corresponding client to properly interpret and render the data, with little computational effort.
Remember, computers communicate using 1s and 0s. This is what happens when html is sent to you:
MIME TYPE: MP3 1001010101....
MIME TYPE: PDF 1001010101....
Once you know the mime type, you can PLAY the audio, and VIEW the PDF.
I couldn't possibly explain it better than Wikipedia does in Media type:
In addition to e-mail applications, Web browsers also support various MIME types. This enables the browser to display or output files that are not in HTML format.
In other words, it helps the browser (or content consumer, because it may not just be a browser) determine what content they are about to consume; this means a browser may be able to make a decision on the correct plugin to use to display content, or a media player may be able to load up the correct codec or plugin.
It is useful to think of MIME in the context of the client-server model. Clients and servers communicate over what is known as the HTTP protocol. In an HTTP request or response, we can have a body. The Content-Type or MIME type specifies what is the type of the body, like text/javascript or something else like audio, video, etc.
However, MIME types are not limited just to HTTP.
As the name suggests, MIME stands for Multipurpose Internet Mail Extensions. Originally, SMTP only supported ASCII-encodings. However, there as a need for more. We could use MIME to slap a label on the content being transmitted or received.