Sketch loading and caching in the explainer based on Kinuko's description

[jyasskin]

Thanks @kinu! This is a subset of your document that I think will give folks like the TAG enough to go on. The rest of your doc is most of the specification.

https://github.com/jyasskin/webpackage/blob/sketch-loading/explainer.md#signed-exchange-loading-sketch

[kinu]

Thanks for starting this! I have some comments/questions (probably more, but here're initial ones)

[kinu]

nit: would it be better to say it depends on if the request is for a navigation or not? (Not sure how this text is confusing or not to the readers)

[jyasskin]

Yeah, probably. Done.

[kinu]

'only if the Service Worker responds with...' part felt a bit confusing (in this paragraph it's not clear if we're talking about fetching the physical URL in general or the case that with the embedder's SW).

[jyasskin]

I was worrying about either the physical URL's or the embedder's SW receiving the application/signed-exchange response but calling e.respondWith(somethingElse). I can probably just ignore that subtlety for the explainer and let folks assume that SWs will return the real resource.

[kinu]

Should it be clearer if we say 'If it fails to validate the signature' given that this talks about general validation failure cases (e.g. clock skew etc)? (While I also found that we're using the text 'find a valid signature' throughout this change, so this is probably intentional?)

[jyasskin]

My idea here is that signed exchanges can have several signatures, some of which are invalid for this client (but might be valid for some other client), some of which are valid but not origin-trusted, and some of which are both valid and origin-trusted. The basic verification process is a search through those signatures for one that's both valid and origin-trusted. Does that make sense? I definitely want to avoid implying that there's exactly one signature, but I'm happy to reword to make this clearer.

[kinu]

Do you have some example scenarios?

[jyasskin]

1. The Accept header includes image/newformat, the response is actually in that format and so Chrome can't display it, and this winds up in the cache, preventing Chrome from doing a later request with our actual Accept headers, which would content-negotiate for an image we could actually display.
2. The Accept-Language header doesn't match the user's language preferences, and the response is something they can't read. If we dropped the exchange with mis-matched request headers, we might negotiate the right response.

I don't have an example of confusing the client beyond just caching an unusable resource that could have been content-negotiated using a connection to the real server. I guess that any real confusion could also be caused by a server that served a malicious response, so Chrome's already hardened against that.

We could put mismatched request headers in the preload cache and just exclude them from the HTTP cache, so a malicious or buggy intermediate would only hurt itself? It seems simpler to skip all caching, but you'd know better what's easier to implement.

[kinu]

Let me clarify... at this point we start talking about caching the response(s) in the signed exchange, is that right?

[jyasskin]

Heh, yes, that wasn't clear at all. Is this new wording better?

[kinu]

Loos a lot clearer, thanks!

[kinu]

I don't feel super comfortable having this text yet, UA should respect the cache headers but not sure if it should cache the response in the signed exchange. Also: mentioning 'preload cache' here feels a bit confusing, it should come into play only when the signed exchange is 'preloaded', right?

[jyasskin]

Ah, I hadn't caught that whether to HTTP-cache it was still up in the air. I'll mention that.

I could be misunderstanding the preload cache in general, but my impression was that (whatever we call it) it's the place that stores prefetches, preloads, the thing https://w3c.github.io/ServiceWorker/#navigation-preload-manager manages, and anything else where we want to use an already-stale response "once".

[kinu]

I see. Since the issue (whatwg/fetch#590) isn't closed yet I added a question to ask for the clarification there, that would probably give you some additional context too. For now I just assume this is talking about 'a cache' for preload/prefetch or whatever.

[jyasskin]

Blargh. whatwg/fetch#590 (comment) makes me realize that this is definitely not the preload cache. The preload cache has a bit of behavior that I want, but it sits after the Service Worker (i.e. caches SW responses), while we're currently thinking of this thing as sitting before the SW and providing input to it.

You mentioned prefetch "basically just puts things in HTTP cache": does that mean that when the subsequent page requests the prefetched thing, the request goes through the subsequent page's Service Worker, and the SW finds the prefetched thing if the it calls down to the network?

[kinu]

You mentioned prefetch "basically just puts things in HTTP cache": does that mean that when the subsequent page requests the prefetched thing, the request goes through the subsequent page's Service Worker, and the SW finds the prefetched thing if the it calls down to the network?

Yeah that what happens.

[kinu]

Thanks! Added some more comments. (Let me know if you want to land this earlier than later, we can keep discussing even after committing this if you prefer)

[kinu]

Loos a lot clearer, thanks!

[kinu]

Reading this further I started to worry that we say a lot about the HTTP cache here.

Does it make sense to have this part (putting it in HTTP cache) as an optional behavior, or could the spec leave which cache to put the resource up to UA? Say, we can define a conceptual signed response cache and note that the behavior can be implemented in the HTTP cache if UA wants?

My concern is layering, efficiency and complexity: The signed exchange itself is cacheable, which seems to mean that the signed exchange layer sits on top of HTTP cache, therefore populating HTTP cache with the contents extracted from the signed exchange could mean:

1. we may waste disk space by caching the data in dup'ed way (signed and non-signed ones)
2. we may need to populate HTTP cache from the layer above it, which is probably unprecedented
3. we need to make the HTTP cache understand the signed exchange logic and associate each entry with the corresponding signature in order to process the revalidation logic stated below

[jyasskin]

I don't think we can leave it entirely up to the UA, because developers will be able to see the differences, and our experience with the HTTP/2 Push cache makes me worried about introducing any visibly-different cache.

If we say that this all goes into the HTTP cache, but we also say that signed exchanges can't contain other signed exchanges or redirects, does that allow you to implement the specified behavior using two layers, to avoid your concerns?

I played with the idea of not caching at all, but that'll break the case where we prefetch the .sxg and try to use its logical URL directly, which hurts non-AMP users, so I don't think it's realistic.

[kinu]

I still think having the signed responses only in so-called preload cache (or undefined memory cache thing) could make sense, at least from impl pov. We sill cache the signed exchange, so having a layer that processes it and potentially caches it up to a certain period seems to be fairly natural to me (this is what we do for images, scripts etc), and that resolves your perf concern? That model fits well with the expiration model too.

[kinu]

Does this imply that the signature's expiration has somewhat sticky effect on the resources that are installed from the signed exchange / bundle? For some use cases like offline PWA installation this may not make a lot sense, or may have some inconsistency? E.g. I think we'd want to keep the PWA's SW and assets installed from a bundle/exchange valid even after the signature expires, is that right?

[jyasskin]

Yes, I'm currently thinking that the signature's expiration sticks to the resources it guarded. We could argue the opposite based on the fact that we don't expire resources after their certificate or OCSP response expires, but I haven't been arguing that so far because those uses at least have a liveness guarantee at the point when the resource arrived.

For offline use, I'm going to argue (#117) that we should extend signature expiration times by O(a month) as long as the client is continuously offline and can't fetch updates, rather than that we should just ignore signature expiration.

[kinu]

I see reg: offline use case. What do you think about the following two cases:

• UA populates HTTP cache with resources extracted from the signed exchange, and they expire when the signature of them expire
• SW populates Cache Storage with resources come from the signed exchange (and SW may know the fact or not), and they will be around even after the signature of the original exchange expires

My mental model has been that the expiration matters when we process the signed exchange, but once if it's processed the resources that come from the signed exchange could just look similar to others. I think I'm fine with the current text, but wanted to note that (partly because not sticking the signature info is easier to implement).

[kinu]

I don't think the FetchEvent needs to include the notification, but if SW wants to know about that we can do that by utilizing navigation preload (only for the SWs that have enabled the feature), is the argument.

[jyasskin]

I agree that we can probably ship without this notification, but I think people will want it sooner or later. I'll downgrade my language here.

The existing navigation preload only applies to navigations, while signed exchanges also offer a response for subresources, so I think we'll need to extend its current spec. I also don't think we need opt-in to expose this: navigation preload needs opt-in because it adds an extra maybe-useless request, but this just exposes something that's happening anyway.

[jyasskin]

Let's see if we converge in the next couple rounds instead of committing early.

[jyasskin]

Yes, I'm currently thinking that the signature's expiration sticks to the resources it guarded. We could argue the opposite based on the fact that we don't expire resources after their certificate or OCSP response expires, but I haven't been arguing that so far because those uses at least have a liveness guarantee at the point when the resource arrived.

For offline use, I'm going to argue (#117) that we should extend signature expiration times by O(a month) as long as the client is continuously offline and can't fetch updates, rather than that we should just ignore signature expiration.

[jyasskin]

I don't think we can leave it entirely up to the UA, because developers will be able to see the differences, and our experience with the HTTP/2 Push cache makes me worried about introducing any visibly-different cache.

If we say that this all goes into the HTTP cache, but we also say that signed exchanges can't contain other signed exchanges or redirects, does that allow you to implement the specified behavior using two layers, to avoid your concerns?

I played with the idea of not caching at all, but that'll break the case where we prefetch the .sxg and try to use its logical URL directly, which hurts non-AMP users, so I don't think it's realistic.

[jyasskin]

I agree that we can probably ship without this notification, but I think people will want it sooner or later. I'll downgrade my language here.

The existing navigation preload only applies to navigations, while signed exchanges also offer a response for subresources, so I think we'll need to extend its current spec. I also don't think we need opt-in to expose this: navigation preload needs opt-in because it adds an extra maybe-useless request, but this just exposes something that's happening anyway.

[mnot]

HTTP freshness can't be modified like this; any upstream caches (e.g., CDN) won't be aware of these special semantics.

I think the two approaches you have are:

1. Don't do that -- i.e., make sure HTTP cache lifetime is always shorter than the signature expiration.
2. If a client encounters a fresh cached response with an expired signature, it can force-refresh using things like Cache-Control: max-age in requests. Be aware, though, that request cache directives are ignored by many...

[jyasskin]

If I rewrite this sentence as "If we put the content of the signed exchange in the HTTP cache", does that fix things for you? I definitely don't mean that the envelope needs to have different cache behavior, just the signed bits we pull out of the envelope. (I'm looking for clearer words about this; distinguishing the envelope format from the logical HTTP exchange inside it has been tricky.)

I think that's ok because the upstream caches like CDNs can only put the contents of a signed exchange into their cache if they understand signed exchanges, which means they're modifying code anyway and can also modify it in this way. I could even be wrong about that because it'd be code owned by two different groups?

[mnot]

As above, if the response is still fresh, upstream caches will consider it so, so you'll need to cache-bust.

[jyasskin]

Here, the client would make an unconditional request to the validity-url, as described by https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#updating-validity, and it's fine for intermediates to cache that with normal HTTP semantics, and if the caching headers are set wrong, the client will probably wind up re-fetching the resource with a normal TLS request to its logical URL (the original publisher's origin), at which point any CDNs are welcome to serve their cached copy if they have one.

[mnot]

I feel like I'm missing something here -- what does "first update the signature and then check for a 304" mean?

[jyasskin]

To update the signature, the client follows https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#rfc.section.3.6. Then "check for a 304" is probably equivalent to "makes a conditional request". It's intended to be the two bullets above.

[mnot]

Until their interaction with Push is specified, I wonder if it's better to just leave this out.

[jyasskin]

In the explainer, I think it makes sense to lay out the goal, even though we haven't written down exactly how we're getting there yet. In the loading specification, I think you're right that I should only add the PUSH route when I can actually write down how the browser processes it.

Does that make sense? If you're not convinced, I'm not dead set on keeping this entry.

There's also a question of whether it makes sense to target Push in any new feature...

[mnot]

This terminology feels a bit generic; could we come up with something a bit more specific?

[jyasskin]

I don't have any better terms offhand, but I'll look for some.

[kinu]

Some more lightweight comments (before think more about HTTP cache ones)

[kinu]

It feels this should be allowed.

[kinu]

This seems questionable, given the text above says we stop prefetch steps before populating HTTP cache with the signed responses

[kinu]

I think yes.

[kinu]

No, for the same reason?

[jyasskin]

I need to think through how this affects how authors need to write their content, using more time than I have today, but thanks for also thinking about it.

[jyasskin]

I'll update the content tomorrow, but some quick responses today:

[jyasskin]

I don't have any better terms offhand, but I'll look for some.

[jyasskin]

In the explainer, I think it makes sense to lay out the goal, even though we haven't written down exactly how we're getting there yet. In the loading specification, I think you're right that I should only add the PUSH route when I can actually write down how the browser processes it.

Does that make sense? If you're not convinced, I'm not dead set on keeping this entry.

There's also a question of whether it makes sense to target Push in any new feature...

[jyasskin]

If I rewrite this sentence as "If we put the content of the signed exchange in the HTTP cache", does that fix things for you? I definitely don't mean that the envelope needs to have different cache behavior, just the signed bits we pull out of the envelope. (I'm looking for clearer words about this; distinguishing the envelope format from the logical HTTP exchange inside it has been tricky.)

I think that's ok because the upstream caches like CDNs can only put the contents of a signed exchange into their cache if they understand signed exchanges, which means they're modifying code anyway and can also modify it in this way. I could even be wrong about that because it'd be code owned by two different groups?

[jyasskin]

To update the signature, the client follows https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#rfc.section.3.6. Then "check for a 304" is probably equivalent to "makes a conditional request". It's intended to be the two bullets above.

[jyasskin]

Here, the client would make an unconditional request to the validity-url, as described by https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#updating-validity, and it's fine for intermediates to cache that with normal HTTP semantics, and if the caching headers are set wrong, the client will probably wind up re-fetching the resource with a normal TLS request to its logical URL (the original publisher's origin), at which point any CDNs are welcome to serve their cached copy if they have one.

[jyasskin]

I need to think through how this affects how authors need to write their content, using more time than I have today, but thanks for also thinking about it.

[kinu]

Looking at the comments by mnot, it seems intermediates may just go on and can cache the responses in the signed exchanges regardless of the request was for prefetches or not. Is that right, and if so should we note something here?

[jyasskin]

I think @mnot is talking about proxies caching the enveloped signed exchange instead of proxies unwrapping the signed exchange and caching its contents (#173 (comment)), but if he does think they'll blindly unwrap things, I need to think about the implications.

[mnot]

Proxies today won't do anything to the body -- they'll just cache things according to the various HTTP caching rules, just like wiht everything else.

[jyasskin]

I've now made the layering more explicit and removed the claim that we'll put the inner exchange in the HTTP cache. There's still a section saying to explore that later.

How's it look now?

[jyasskin]

Does the preload cache might look equivalent to the memory/image cache to developers? If so, I should probably merge them in this list.

[kinu]

Having them separately looks good to me (Blink has separated preload cache out of memory cache, and it looks Yoav's trying to sketch preload cache roughly following the way

[kinu]

Thanks, this looks good / the layering part looks a lot clearer to me! Left a few nit comments + some questions.

[kinu]

This part can be in a different PR?

[jyasskin]

I can avoid moving it in this PR.

[kinu]

Having them separately looks good to me (Blink has separated preload cache out of memory cache, and it looks Yoav's trying to sketch preload cache roughly following the way

[kinu]

(HTTP cache and prefetch cache are not really different things in chrome impl, but that's probably fine)

[kinu]

'the outer exchange that fetches the outer resource' this sentence was unclear to me, what 'fetches' means here?

[jyasskin]

Hm, yeah, that's unclear. How about "whose response's payload is the outer resource"?

[kinu]

Does this extra check run only when the fetch comes from/via the Service Worker? We also say the response is not really distinguishable between inner responses as a part of signed exchange vs regular resources from SW for now, they feel slightly inconsistent to me.

[jyasskin]

The extra check should happen even when there's no SW or no fetch handler in the SW. I tend to think of a page without a SW as equivalent to a page whose SW does nothing in its fetch handler, so if it looks like I'm deviating from that, or if that's the wrong model for me to have, let me know. :)

[kinu]

Yeah +1 to keep this as an open discussion for now

[kinu]

nit: annotate this as (TBD) too?

[jyasskin]

Done.

[jyasskin]

I think this is pretty much stable now, so I'll merge it. Comments and bugs are still welcome.