- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 14 Sep 2010 12:02:26 +0200
- To: Willy Tarreau <w@1wt.eu>
- CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 14.09.2010 07:50, Willy Tarreau wrote: > ... >> I think there are two concerns here: >> 1) making the spec more complex >> 2) making code implementing the spec more complex >> >> Is it going to cause your implementation problems to refuse messages with two matching content-length headers? > > No, it's even easier, I can remove a test in the code ! But I > suspect that I'll have to relax the check again in a few months > to a few years because of the effect mentionned above. Maybe we > could add a single sentence at the end of point 3 of 3.3 : > > "An implementation MAY accept exact duplicates of valid Content-Length > header fields as a single one, though this practice is discouraged". We currently have: "If a message is received without Transfer-Encoding and with either multiple Content-Length header fields or a single Content-Length header field with an invalid value, then the message framing is invalid and MUST be treated as an error to prevent request or response smuggling." We can't have a MAY relax a MUST; that makes it a "SHOULD". We could relax this edge case from MUST to SHOULD, but it would complicate the spec a lot, and I'm not convinced it's really needed. It would be great to have more data on this. > ... Best regards, Julian
Received on Tuesday, 14 September 2010 10:03:01 UTC