Handling mid-stream errors

[tigt]

No description provided.

[DylanPiercey]

FWIW this is what I've seen in several applications. Curious if this is one of those "kinda not supposed to work but does" things.

[tigt]

It definitely works for browsers and probably search engines, but caches still probably need the explicit indicator that the HTTP response was incomplete.

[tigt]

One thing some of the prior art has handled partially is what happens if the stream error occurs while the HTML has already opened a tag, attribute value, etc. Rails prepends "> and I’ve also seen </script>

GitHub explored this problem even more thoroughly for Dangling Markup Busting in their Post-CSP journey

[tigt]

Spitballing here:

out.streamErrorRedirect = function (url) {
  out.shouldMarkAsIncomplete = true;
  out.write(`
    <!--'"--><!--]]></style></script></textarea></select></template>-->
    <meta http-equiv=refresh content="0;url=${url}">
    <script${out.global.cspNonce ? ' nonce='+out.global.cspNonce : ''}>location=${JSON.stringify(url)}</script>
    <a href=${url}>Follow this link if you aren’t redirected</a>
  `);
};

• Should there be a default error page URL taken from out.global.error500Url, like out.global.cspNonce?

• How much should Marko protect against dangling markup? Rails and other existing solutions don’t seem to care much.

• Writing further error content should still happen with whatever is inside <@catch>, in case both the inline <script> and meta[http-equiv=refresh] fail (not likely, but certainly not impossible.) Should it go before or after the stream error redirect markup? My vote is for before.

[DylanPiercey]

@tigt I might've missed this in another part of this discussion, but is there value in writing both the meta and script tags here? In which case would one work but not the other? I feel like meta is more practically reliable and works with js disabled which is a bonus.

[DylanPiercey]

I'll also add that having dangling markup is probably very rare since for the most part things are escaped. To have dangling markup it would mean that you would have gotten your application into a state where you are passing invalid markup to an unescaped interpolation which is an issue in and of itself.

[tigt]

I don’t know of a specific browser where it happens, but my intuition makes me worry about relying solely on the option that is technically invalid HTML — all it would take is one high-profile unescaped markup attack to make some security-conscious browser ignore meta refreshes in the <body>. (Maybe Tor Browser or Brave already do.)

[tigt]

Blast from the future: turns out there might be value in writing both meta[http-equiv="refresh"] and window.location=. WebKit changeset 280,870:

Meta HTTP refresh should not navigate if document has sandboxed automatic features browsing context flag set:

• ​https://html.spec.whatwg.org/multipage/semantics.html#shared-declarative-refresh-steps (Step 13)

Firefox and Chrome already behave this way.

I haven’t managed to figure out what the spec means by that yet, but putting it here for later.

[DylanPiercey]

This is interesting. If express's next/error handler does support this properly then perhaps using the marko/express plugin should be good enough. We actually forward Marko's errors to express in that case.

[mlrawlings]

Only uncaught errors though. The case we need to think about is when the error was caught and so we were able to render a page for the user, but we want to signal that content is missing to any proxies/bots/etc. that might otherwise cache/index a page that didn't render all its content.

If we did want to rely on this for those cases, we'd probably have to hold off on firing the event until just before Marko ends the stream, otherwise express would close the connection before we were done rendering. We'd also probably want to use an event other than error since I know there's already apps out there listening for that event and doing a script/meta redirect.

[tigt]

Yeah, especially since real HTTP errors don't change the URL address. Maybe redirecting isn't a good pattern in the first place; it's certainly unexpected for users, and there isn't a valid, clean way to express it in the bedrock HTML or HTTP layers.

…

On Sun, Apr 12, 2020, 12:13 PM Dylan Piercey ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In proposals/0000-surface-async-stream-errors-to-http.md <#1 (comment)>: > + <dt>HTTP/1.1 <code>Transfer-Encoding: chunked</code></dt> + <dd><a href="https://httpwg.org/http-core/draft-ietf-httpbis-messaging-latest.html#incomplete.messages">IETF Draft: HTTP/1.1 Messaging §8 Handling Incomplete Messages</a></dd> + <dd><p>If a chunked response doesn’t terminate with the zero-length end chunk, the client must assume that the response was <i>incomplete</i> — which at the very least, <a href="https://httpwg.org/http-core/draft-ietf-httpbis-cache-latest.html#rfc.section.3.1">means a cache should double-check with the server before reusing the stored incomplete response</a>.</p></dd> + + <dt>HTTP/2 Streams</dt> + <dd><a href="https://tools.ietf.org/html/rfc7540#section-5.4.2">RFC 7540 §5.4.2 Stream Error Handling</a></dd> + <dd><p>An HTTP/2 stream can signal an application error by sending a <code>RST_STREAM</code> frame with an error code of <code>0x2 INTERNAL_ERROR</code>.</p></dd> +</dl> + +This proposal explores how Marko should surface errors from server components to the HTTP layer, so the response can properly signal an error with one of the above methods. + +## Guide-level explanation + +Developers should be able to tell Marko how important an async error is: + +1. Our example from the Motivation section is as serious as it gets — you might even want to redirect to a completely different error page I guess one work around would to be store the original page url and do some magic if the referrer is the error page itself to navigate back. Seems a bit strange though. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB5S2SVZNRJNN3OJ5OH2KADRMHSENANCNFSM4MDVSGFQ> .

[tigt]

This is how I’m leaning after thinking for a few days:

I don’t want to encourage mid-page redirects

• Changing the URL is user-hostile:
  • It breaks the Refresh button, which is how 99% of users will successfully fix transient streaming errors
  • It makes it hard to bookmark the page and come back later to see if the error is gone
  • Real HTTP errors don’t change the URL, so redirecting violates the principle of least surprise
  • The user may still value the rest of the page — imagine they visit the homepage to use the navigation, but a stream error keeps kicking them to a navigationless error page instead
• There isn’t a 100% vetted way to implement the redirect in a layer low enough I’m comfortable with on the framework layer:
  • HTML validation may be important to some authors, so meta[http-equiv=refresh] in the body has the drawback of being invalid. (I’m also not certain it works everywhere, such as more exotic user agents.)
  • Sure, only ~0.8% of folks intentionally turn off JavaScript, but some authors today still find value in not relying on JS — such as NearlyFreeSpeech.NET’s site panel or WordPress’s admin area.
  • The dangling markup defenses seem to hit a dangerous combination of:
    • Anticipating everything a web author could possibly do, including new elements and syntax we can’t know of
    • Potential security issues
    • Happens rarely enough that the above problems won’t receive the scrutiny they need

If the intent of existing implementations (e.g. Rails) is to have a fallback generic error handler/message for the user, we can achieve that with some API for uncaught <await>s.

Handling mid-stream errors is something Marko should have docs for

The fact that I had to do quite a bit of research for a problem that’s existed since 1997 suggests that this is information Marko authors could certainly use.

• Describe deciding importance for a given part of the page, and what authors can do:
  • Very important parts of the page should show an error message, much like a 5XX handler
  • Somewhat important parts could fall back to an “unenhanced” version, maybe linking to a dedicated endpoint for that content (especially useful for <await> with timeout)
  • Trivial parts can have empty <@catch>es
• Explain pitfalls with the mid-page redirect pattern
• Note challenges of getting outer layers to correctly handle the streaming error signals Marko emits (NGiNX, etc.)
• Explain/link to the specific, standardized HTTP ways of signaling mid-stream errors, since it’s not obvious where to find the specs for this

[tigt]

It also seems like Marko could know if an underlying stream is for Node’s http or http2 modules, and emit error signals appropriately:

• http should close the TCP connection
• http2 should send RST_STREAM
• Anything else would do nothing other than the error event Marko already fires

It seems like out instanceof require('http').ServerResponse is the official way to do it. But since it’s very common to create generic streams that eventually get piped somewhere else, there should also be a way for authors to tell Marko it’s destined for some kind of HTTP stream eventually — probably the same per-request API that lets authors turn off this error signaling for misbehaving middle/endboxen.

[tigt]

Show-stopping errors

It is highly recommended not to begin streaming a Marko response (or any HTTP response) for crucial page content, such as:

• If a product URL addresses a product you have (200 OK) or something completely bogus (404 Not Found)
• If a user-specific area has valid authentication (200 OK) or needs to log in first (403 Forbidden)
• If a time-limited promotion has ended (401 Gone) or is still ongoing (200 OK)

In these cases, you should wait to begin the HTTP stream until you know which status code to send.

If you want to begin streaming ASAP for performance reasons, consider the following:

• The TCP connection still warms up to grow its window size while your server thinks about the status code.
• If you want to preload likely assets during server think time, use the 103 Early Hints status code.
• HTML caching can remember the status code and accelerate future queries after a more-expensive first one.

Trivial errors

Do nothing different. If you don’t care that the “recommended for you” section renders or not, <@catch> the error and swallow it silently.

Something in-between

This is where advice for listening to the Marko stream’s error event and sending either invalid Transfer-Encoding: chunked bytes or RST_STREAM frames would go.

Responsibilities that Marko can help developers with:

• Showing a human-facing error message, perhaps a default one with <button formaction="" formmethod="post">reload this page</button>
• Finishing the streamed response, but with proper signaling to indicate the HTTP response is damaged and should not be indexed/cached
• Clear expectations of browser behavior and how to test if the used approach is propagating between middleboxen to the end-user

[taylor-hunt-kr]

Related: I found an old Apache bug ticket on correctly forwarding malformed CTE streams: https://bz.apache.org/bugzilla/show_bug.cgi?id=55475

Lots of relevant discussion, URLs, and good examples of running code in there.

[tigt]

I pinged the HTTP working group at httpwg/http-core#895, and that thread contains a few links and a suggestion to bring this problem area to the httpwg mailing list