Paid Advertising
web application security lab

HTTP Request Bundle

On one of the lists I’m on the concept of a “request bundle” came up. One of the major issues with performance of the web based internet is multiple requests coming in from a single browser. When a browser makes a request to a webpage, it’s not just one request. It could be dozens of them. Every single piece of embedded HTML, CSS, JavaScript, Flash Movies, Sounds and every image on a page must be called in it’s own session. The concept of a “request bundle” is to make a single call and get all of the items at once in one bundle instead of multiple requests.

If the server in question cannot handle a request bundle (older servers) the request would revert back into older style single requests at a time. It’s an interesting idea, but it may have several hidden implications. The first implication is perceived performance. Funny, because the whole point is to improve performance. But if you have a table with an image in it and the table doesn’t know how big the image will be because of poorly designed HTML it has to wait for the image to download before it can render. Likewise the whole style of the page could also be wrapped up in that bundle. What if I have JavaScript turned off? I have to download it anyway unlike before when I just downloaded what I needed.

The second is a more complex issue. What about the issue of session riding? Can I now make several requests at the same time? How does that effect the security model? Can I do GET DoS more efficiently by only making one request that in fact denotes thousands of calls to CPU or computationally expensive operations or functions? Previously I’ve seen people watch to see if certain objects were downloaded to tell if the user had certain things installed. Well now they are all downloaded at once. So maybe those would fall outside of the bundle and be called individually?

I’m sure there are other hidden issues, but I thought I’d at least throw that idea out to the general public to get the thought out there. Any other hidden issues?

12 Responses to “HTTP Request Bundle”

  1. WhiteAcid Says:

    I don’t quite see how it’d work.
    Say I request, my browser won’t know to request the image and any external js files (if any) until the page has fully loaded. Sure it could ask for the favicon along with the index page, but that’s about it.

    Usually images, .js files and whatever are just cached anyway, so while you are sending a request for each file in most cases you’ll just get a reply saying your version is still current.

  2. RSnake Says:

    I’m guessing this would be more useful for AJAX stuff where you want to pull down nearly a full page but you want it to be quick. But even still, there may be situations where you could put a bundle at the top of the document and pull down all the elements in that document before they are actually required on the page.

    The whole intent is to avoid the overhead of requesting new images each time. Anything cached would return cached. I don’t imagine it would break any standards in that way.

  3. Sylvan von Stuppe Says:

    How is that different from the browser using HTTP Keepalives? Are they wanting a mechanism where rather than serial requests over a single connection (HTTP Keepalives) you make all the requests at once, and they come back serially?

  4. RSnake Says:

    That’s my understanding having read it, yes. One request many different files zipped up together and read/interpreted by the client.

  5. Jungsonn Says:

    this idea of the request bundle, isn’t this the same as an https/ssl connection? i mean, http is a stateless protocol.

  6. RSnake Says:

    I think they are trying to extend it to have more state. It’s definitely not the same as https as there would be no overhead of encryption. It would only have compression of a bundle of images/files.

  7. MERLiiN Says:

    Disclaimer; I am not familiar with the suggested technology, I am merely thinking out loud.

    The first thing that comes to mind is document injection. Assuming that the output would be comparable to that of attachments in emails one could imagine that headers or content could be manipulated by injecting expected output for say logo.png through server side scripting thus changing the image displayed as logo.png. It can be handled, but what is the trade-off?

  8. maluc Says:

    Same disclaimer.

    But i think HTTP bundling will be more of a hindrance than a performance boost, for the most part. Specifically because it’s very anti-caching.. and caching is a huge speed boost.

    I’m assuming, an HTTP bundle will be pretty analogous to a pre-packed zip file containing all files on the page - all javascripts, all CSS, all images, all HTML. The problem is when you click a link to another page, and you download it’s bundle. All the css/js/banners that are used across the entire site have to be redownloaded. That makes surfing even slower than before!

    Now bundles could be specified in a way to tell the website which files you already have, and then for the server to send a dynamically created bundle of only the new/updated files.. but that makes it even more processor intensive, putting servers under heavier load.

    The only benefit i see it making, is to onnnly bundle the site-wide CSS, javascripts, and images. turning those 10 requests into two (bundle+current page). But with web designers being the nitwit, fad chasing, ruby loving, mac humping, volvo driving, hippies that they are - they’re gunna use it in all the wrong situations and just make their sites slower and harder to manage =.=

    The benefits don’t warrant the effort.


  9. NoLi Says:

    i think this web veryy intersting

  10. RSnake Says:

    maluc that all may be very true, but there are certainly circumstances where it could “pre-load” content that the application knew you were going to be using momentarily. Such is the case with AJAX for instance. And if you are only sending your cookies upstream once, that can actually save a lot of transactional overhead. Maybe?

  11. Rahul Sharma Says:

    I think this is really required, any one working on AJAX would have realized that such a technique is a boon.

  12. Jerome Lapointe Says:

    This is very interesting. I’ve been puzzling over how to do this myself. I started thnking about this stuff when I got “YSlow” and more so when I read about “Bundle Fu”…

    One thing seems clear, if you want to save on the HTTP request you need to either have the items already in the cache by the time it gets parsed… or some way of telling in not to do a request it… Otherwise you’re not saving the time you wanted to save.

    Ideally you do not have to specify what to put in the bundle.. the browser figures what it needs by the page content… the headers indicating that the server can serve archives, it then makes a request for an archive (stating it’s prefered format from what the headers stated the server could offer)… and boom, the files all come in… archived on the spot, probably as a tar file… obviously it would be preferable to seperate images from other content items so you could gzip the archive where applicable…