From 4e10f7971a43227049f1b56887bdc6ec8ffd434c Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Tue, 29 May 2018 10:52:37 -0400
Subject: [PATCH] discuss decision to use query args

---
 docs/proposed/http-storage-node-protocol.rst | 23 ++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/docs/proposed/http-storage-node-protocol.rst b/docs/proposed/http-storage-node-protocol.rst
index 6934eb78e..523b2094a 100644
--- a/docs/proposed/http-storage-node-protocol.rst
+++ b/docs/proposed/http-storage-node-protocol.rst
@@ -322,6 +322,20 @@ For example::
       7: ["baz", "quux"]
   }
 
+Discussion
+``````````
+
+Offset and size of the requested data are specified here as query arguments.
+Instead, this information could be present in a ``Range`` header in the request.
+This is the more obvious choice and leverages an HTTP feature built for exactly this use-case.
+However, HTTP requires that the ``Content-Type`` of the response to "range requests" be ``multipart/...``.
+The ``multipart`` major type brings along string sentinel delimiting as a means to frame the different response parts.
+There are many drawbacks to this framing technique:
+
+1. It is resource-intensive to generate.
+2. It is resource-intensive to parse.
+3. It is complex to parse safely [#]_ [#]_ [#]_ [#]_.
+
 Mutable
 -------
 
@@ -453,3 +467,12 @@ Just like the immutable version.
    that provides an unambiguous (if obscure) signal about which protocol to use.
    Or a different scheme could be adopted
    (``[x-]pb+http``, ``x-tahoe+http``, ``x-gbs`` come to mind).
+
+.. [#]
+   https://www.cvedetails.com/cve/CVE-2017-5638/
+.. [#]
+   https://pivotal.io/security/cve-2018-1272
+.. [#]
+   https://nvd.nist.gov/vuln/detail/CVE-2017-5124
+.. [#]
+   https://efail.de/