W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: HTTPbis -10 drafts published : Connection header

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 14 Jul 2010 18:17:45 -0700
Cc: Willy Tarreau <w@1wt.eu>, Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <54425382-92C7-4D87-B68B-70A9A8BFFB51@gbiv.com>
To: Adrien de Croy <adrien@qbik.com>
On Jul 14, 2010, at 5:45 PM, Adrien de Croy wrote:

> that's quite an interesting scenario
> 
> if a proxy were to receive a request message with say
> 
> Connection: content-type
> 
> in it, what do you think should the proxy do?

Delete the content-type header, as required by HTTP/1.1.

> a) ignore it (not remove Content-Type)
> b) reject the message (client attempted exploit)
> c) something else
> 
> it may be clear enough for Content-Type, but what about some other header (e.g. header not known about by the proxy).  Should we have a requirement that a proxy should reject any message that has a token in the Connection header that is not a known hop-by-hop header?

That would be the complete opposite of the reason we have the
Connection header -- to indicate what headers are hop-by-hop.
We needed it precisely to indicate hop-by-hop extensions.

There is absolutely no risk in following the instruction
exactly as indicated.  The sender already has control over the
bits being sent, and your proxy should be enforcing its constraints
on what to forward *after* the message is processed for forwarding.

....Roy
Received on Thursday, 15 July 2010 01:18:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:23 GMT