Hi Cory, I’m not subscribed to web-sig but I read the discussion there. Feel free to forward my answer to the group if you think it’s useful.
I have roughly the same convictions as Graham Dumpleton. If you want to support HTTP/2 and WebSockets, don’t start with design decisions anchored in CGI. Figure out what a simple and flexible API for these new protocols would be, specify it, implement it, and make sure it degrades gracefully to HTTP/1. You may be able to channel most of the communication through a single generator, but it’s unclear to me that this will be the most convenient design. If you want to improve WSGI, here’s a list of mistakes or shortcomings in PEP 3333 that you can take a stab at. There’s a general theme: for a specification that looks at the future, I believe that making modern PaaS-based deployments secure by default matters more than not implementing anything beyond what’s available in legacy CGI-based deployments. 1. WSGI is prone to header injection vulnerabilities issues by design due to the conversion of HTTP headers to CGI-style environment variables: if the server doesn’t specifically prevent it, X-Foo and X_Foo both become HTTP_X_Foo. I don’t believe it’s a good choice to destructively encode headers, expect applications to undo the damage somehow, and introduce security vulnerabilities in the process. If mimicking CGI is still considered a must-have — 1% of current Python web programmers may have heard about it, most of them from PEP 3333 — then that burden should be pushed onto the server, not the application. 2. More generally, I fail to see how mixing HTTP headers, server-related inputs, and environment variables in a dict adds values. It prevents iterating on each collection separately. It only makes sense if not offering more features than CGI is a design goal; in that case, this discussion doesn’t serve a purpose anyway. It would be nicer and possibly more secure if the application received separately: a. Configuration information, which servers could read from environment variables by default for backwards compatibility, but could also get through more secure channels and restrict to what the application needs in order to better isolate it from the entire OS. b. Server APIs mandated by the spec, per request. c. HTTP headers, per request. 3. Stop pretending that HTTP is a unicode protocol, or at least stop ignoring reality when doing so. WSGI enforces ISO-8859-1-decoded str objects in the environ, which is just wrong. It’s all the more a surprising choice since this change was driven by Python 3, that UTF-8 is the correct choice, and that Python 3 defaults to UTF-8. Django has to re-encode and re-decode before doing anything with HTTP headers: https://github.com/django/django/blob/d5b90c8e120687863c1d41cf92a4cdb11413ad7f/django/core/handlers/wsgi.py#L231-L253 4. Normalize the way to tell the application about the original protocol, IP address and port. When dev and ops responsibilities are separate, this is clearly an ops responsibility, but due to the lack of standardization devs end up dealing with this problem in custom middleware, when they do it at all. Everyone keeps getting it wrong, which introduces security vulnerabilities. Also it always breaks silently on infrastructure changes. 5. Improve request / response length handling and connection closure. Armin and Graham have talked about in the past and know the topic better than I do. There’s also a rejected PEP by Armin which made sense to me. As you can see from these comments, I don’t quite share the design choices that led to WSGI as it currently stands. I think it will be easier to build a new standard than evolve the current one. I hope this helps! -- Aymeric. > On 4 janv. 2016, at 13:43, Cory Benfield <[email protected]> wrote: > > All, > > An effort has begun over in the PSF Web-SIG special interest group to come up > with a new version of the WSGI specification. > <https://mail.python.org/pipermail/web-sig/2016-January/005357.html> The goal > is to develop a successor to WSGI that will be more useful in the development > of modern, asynchronous web applications, with the goal of making available > all of the improvements in both HTTP and Python that have come through in the > years since PEP 333. > > As Django is one of the major users of WSGI, any attempt to specify a new > version without getting input from the Django community and development team > would be extremely foolish! This is therefore a request for input: I'd like > it very much if the Django development team could come up with a response to > the email linked earlier, indicating what the Django team would like from a > new version of WSGI and what you believe the priorities should be. For > obvious reasons there may not be consensus around this issue amongst the > Django developers, and that's fine: multiple submissions from Django would be > entirely acceptable. > > Trying to improve something as well-established as WSGI is going to be > extremely difficult, and it'll only work if communities like Django's step up > to help build something that we can all be proud of. I hope that you're as > excited by that idea as I am! > > A side note: I'm very aware of Andrew Godwin's work with channels, and it may > be that the Django community believes that that model is the future of web > programming in Python. If that's the case, then please let us know. I > personally don't believe that it's the right direction for WSGI, but I may be > wrong (I've been wrong before!). > > If you have any questions, please don't hesitate to ask. I'm looking forward > to working with you all! > > Cory > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at https://groups.google.com/group/django-developers > <https://groups.google.com/group/django-developers>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/aea5f21c-20c7-49ab-a1ca-2376ca0b92f2%40googlegroups.com > > <https://groups.google.com/d/msgid/django-developers/aea5f21c-20c7-49ab-a1ca-2376ca0b92f2%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/05174F81-A0C0-46C5-B300-6F0FE3ADB105%40polytechnique.org. For more options, visit https://groups.google.com/d/optout.
