W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2004

Re: Is forwarding hop-by-hop headers a MUST-level violation?

From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Fri, 16 Jul 2004 00:02:55 -0600 (MDT)
To: Jamie Lokier <jamie@shareable.org>
Cc: ietf-http-wg@w3.org
Message-ID: <Pine.BSF.4.58.0407152356440.70373@measurement-factory.com>

On Tue, 13 Jul 2004, Jamie Lokier wrote:

> Note that the semantics of the hop-by-hop header Proxy-Authorization
> are that it MAY be forwarded.  So wording of the hop-by-hop section
> should perhaps not say that Proxy-Authorization MUST be removed, as
> it would be a contradiction.

I hesitate opening another debate around this. We simply lack the
proxy terminology (client-side actions versus server-side actions,
etc.) to perfectly express what we want. I would just use the existing
language, but make it normative.

> > 	2) attempts to increase the probability that old and new
> > 	implementations will do the right thing (by listing all
> > 	hop-by-hop headers in the Connection header)
> >
> > I do not have strong feelings about (2). Adding a few bytes to a few
> > messages does not bother me much, but I am worried that, in some
> > corner cases, listing more headers in Connection might expose
> > currently undetected vulnerabilities in old products.
>
> I wouldn't be surprised to find some old products check for Connection
> == "close", or !strncmp(connection, "close") if you see what I mean.

I saw some _new_ products that do that. That is one reason why I am
not pushing for (2).

Thanks,

Alex.
Received on Friday, 16 July 2004 02:03:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:35 GMT