W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2004

Re: Is forwarding hop-by-hop headers a MUST-level violation?

From: Jamie Lokier <jamie@shareable.org>
Date: Tue, 13 Jul 2004 12:12:14 +0100
To: Alex Rousskov <rousskov@measurement-factory.com>
Cc: ietf-http-wg@w3.org
Message-ID: <20040713111214.GA31339@mail.shareable.org>

Alex Rousskov wrote:
> 	1) documents the intent of the original wording in a normative
> 	and consistent way (proxies MUST NOT forward)

> I did not hear any objections to (1). Can we declare consensus on that
> part of the fix?

From my corner, hand raised in a yes-from-me way.

Note that the semantics of the hop-by-hop header Proxy-Authorization
are that it MAY be forwarded.  So wording of the hop-by-hop section
should perhaps not say that Proxy-Authorization MUST be removed, as it
would be a contradiction.

> 	2) attempts to increase the probability that old and new
> 	implementations will do the right thing (by listing all
> 	hop-by-hop headers in the Connection header)
> 
> I do not have strong feelings about (2). Adding a few bytes to a few
> messages does not bother me much, but I am worried that, in some
> corner cases, listing more headers in Connection might expose
> currently undetected vulnerabilities in old products.

I wouldn't be surprised to find some old products check for Connection
== "close", or !strncmp(connection, "close") if you see what I mean.
I've never investigated it though; it may just be over-carefulness on
my part that I insist on making close the first token when it's
present.  (And when it's not, if Keep-Alive is present I make that the
first token for the same reason).

I am not sure if it makes sense to require TE, Trailers and
Proxy-Authorization are listed in Connection because those weren't in
the hop-by-hop list of RFC 2068.  Perhaps they are all sufficiently
harmless in the cases where they might be forwarded by an RFC 2068 proxy.

-- Jamie
Received on Tuesday, 13 July 2004 07:12:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:35 GMT