GraphQL: A success story for PayPal Checkout
(medium.com)
IngramChen
積分 1
其實 json 壓縮後小的可憐,隨便一張 50kb 的 jpeg 都大的多,而且現在都是用 http/2 了,一堆小的 request 根本沒什麼。以這些優點來推 graphQL 不太夠
yllan
積分 0
不過因為 CRIME / BREACH 漏洞,不是建議說 dynamic response w/ secret 最好不要壓縮嗎?
IngramChen
積分 1
那是 tls compression 吧?
gzip 沒事啊
yllan
積分 1
BREACH1
While CRIME was mitigated by disabling TLS/SPDY compression (and by modifying gzip to allow for explicit separation of compression contexts in SPDY), BREACH attacks HTTP responses. It is important to note that the attack is agnostic to the version of TLS/SSL, and does not require TLS-layer compression. Additionally, the attack works against any cipher suite.
不過仔細看了一下,他的條件是 HTTP body 裡要有 secret 和 user generated data,所以一般沒滿足條件的 JSON 的確沒事。