Re: Navigation Error Logging spec update from Arvind Jain on 2013-12-10 (public-web-perf@w3.org from December 2013)

From: Arvind Jain <arvind@google.com>
Date: Mon, 9 Dec 2013 18:03:39 -0800
To: "Aaron Heady (BING AVAILABILITY)" <aheady@microsoft.com>
Cc: public-web-perf <public-web-perf@w3.org>
Message-ID: <CAOYaDdOzNOp=db8o8rDmeS4L8G0OprUm0tOCJPav9iGooq0k=g@mail.gmail.com>

I think we should not retry the logging fetch. I hope that addresses the
DDOS issue.

Arvind


On Mon, Dec 9, 2013 at 10:06 AM, Aaron Heady (BING AVAILABILITY) <
aheady@microsoft.com> wrote:

>  At some point we discussed how the UA should behave if it is a private
> browsing session. It should likely not log anything. Does that need to be
> alluded to in 5 Privacy and Security?
>
>
>
> Looking at *enableNavigationErrorReporting. *This looks like it could
> spiral out of control if both the content origin and the logging origin is
> host on the same architecture. For example:
>
>
>
> A request to http://example.com results in a HTTP 500 because of a bug on
> the origin when it is under too much load (DDOS, internal capacity issue,
> etc). The UA formats a NavigationErrorEntry and prepares to send it to
> http://example.com/logging. That in turn results in a 500 error, and
> increases the load on the origin.
>
>
>
> Should there be some back off logic? If a logging fetch fails, don’t try
> again for n*2 seconds, doubling as it continues to fail. If a logging fetch
> fails, does it retry? That is getting into the beacon logic, but it seems
> like if we are going to allow some global set of UA’s to automatically send
> logging fetches during errors, then we need some idea to limit how much
> further impact they could cause, or it is DDOS waiting to happen.
>
>
>
> Aaron
>
>
>
>
>
> *From:* Arvind Jain [mailto:arvind@google.com]
> *Sent:* Sunday, December 8, 2013 11:32 AM
> *To:* public-web-perf
> *Subject:* Re: Navigation Error Logging spec update
>
>
>
> Checking in.
>
>
>
> Do folks have any comments on the draft?
>
>
>
> Arvind
>
>
>
> On Fri, Nov 29, 2013 at 6:25 PM, Arvind Jain <arvind@google.com> wrote:
>
>  I added two methods to the interface to allow reporting of errors in
> real time to a report url as per *ACTION-117 -* *Add method to allow
> ability to send to a third party url.*
>
>
>
>
> https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/NavigationErrorLogging/Overview.html
>
>
>
> Please review and let me know if you have any concerns.
>
>
>
> Arvind
>
>
>

Received on Tuesday, 10 December 2013 02:04:09 UTC