Re: NEW ISSUE: message-body in CONNECT response from Adrien de Croy on 2007-11-26 (ietf-http-wg@w3.org from October to December 2007)

From: Adrien de Croy <adrien@qbik.com>
Date: Tue, 27 Nov 2007 08:47:13 +1300
To: Dan Winship <dan.winship@gmail.com>
CC: ietf-http-wg@w3.org
Message-ID: <474B22C1.8020002@qbik.com>

Actually there are (I'm fairly sure) cases where a 200 response comes 
back to a CONNECT request with an HTML body.

For instances proxies that return a challenge page for authentication.

In this case, surely the message that is the response to the CONNECT 
command is not part of the tunneled data, and so any body on that 
message should likewise not be counted as tunneled data, but rather part 
of the response.

Maybe the requirement should be that there must be a Content-Length set 
(regardless of whether there is a non-zero length body), or other more 
normal methods of message delineation before entering the tunneling phase.

Regards

Adrien


Dan Winship wrote:
>
> As implemented in the real world, a successful response to a CONNECT 
> request does not include a message-body. But this isn't stated in RFC 
> 2817, and is actually forbidden by RFC 2616.
>
> draft-luotonen-web-proxy-tunneling said:
>
>     Example of a response:
>
>           HTTP/1.0 200 Connection established
>           Proxy-agent: Netscape-Proxy/1.1
>
>           ...data tunnelled from the server...
>
>     After the empty line [that follows the message-headers], the proxy
>     will start passing data from the client connection to the remote
>     server connection
>
> but RFC 2817 (5.3) removes the lack-of-message-body implication:
>
>     Any successful (2xx) response to a CONNECT request indicates that
>     the proxy has established a connection to the requested host and
>     port, and has switched to tunneling the current connection to that
>     server connection.
>
> And RFC 2616 (4.3) requires a 200 response to a CONNECT to have a 
> message-body anyway:
>
>     All responses to the HEAD request method MUST NOT include a
>     message-body, even though the presence of entity-header fields might
>     lead one to believe they do. All 1xx (informational), 204 (no
>     content), and 304 (not modified) responses MUST NOT include a
>     message-body. All other responses do include a message-body,
>     although it MAY be of zero length.
>
>
> So to fix things, RFC 2616 4.3 should be updated to include "A 
> successful (2xx) response to a CONNECT request MUST NOT include a 
> message-body." And if 2817 is in-scope for 2616bis then the fact 
> should probably be reiterated there too.
>
> -- Dan
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

Received on Monday, 26 November 2007 19:46:38 UTC