W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: [#95] Multiple Content-Lengths

From: Roy T. Fielding <fielding@gbiv.com>
Date: Mon, 20 Sep 2010 15:51:32 -0700
Cc: Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <D106632C-FDC6-4C71-B13B-42F797D14532@gbiv.com>
To: Mark Nottingham <mnot@mnot.net>
On Sep 19, 2010, at 10:57 PM, Mark Nottingham wrote:

> I've been talking to a few browser vendors about this off-list (and encouraging them to get involved on-list).
> 
> Two have indicated that they intend to implement as specified, although there's some agreement that a duplicate C-L can be ignored, as Willy has implemented.
> 
> There have also been questions about the text seeming to encourage implementers to display the content when there are mismatching C-L's; although it's written so they're not required to do so, it might be good to refine this a bit.
> 
> Two replied that they have concerns about displaying errors to end users. If they come on-list and discuss their concerns, we can discuss this more.
> 
> One hasn't replied.
> 
> Based on those discussions, I'm reopening issue #95, and making a straw-man proposal to kick off discussion:
> 
> Current (-11): 
> 
>   3.  If a message is received without Transfer-Encoding and with
>       either multiple Content-Length header fields or a single Content-
>       Length header field with an invalid value, then the message
>       framing is invalid and MUST be treated as an error to prevent
>       request or response smuggling.  If this is a request message, the
>       server MUST respond with a 400 (Bad Request) status code and then
>       close the connection.  If this is a response message received by
>       a proxy or gateway, the proxy or gateway MUST discard the
>       received response, send a 502 (Bad Gateway) status code as its
>       downstream response, and then close the connection.  If this is a
>       response message received by a user-agent, the message-body
>       length is determined by reading the connection until it is
>       closed; an error SHOULD be indicated to the user.
> 
> Proposed:
> 
>   3.  If a message is received without Transfer-Encoding and with
>       either multiple Content-Length header fields indicating different
>       lengths or a single Content-
>       Length header field with an invalid value, then the message
>       framing is invalid and treated as an error to prevent
>       request or response smuggling.  If this is a request message, the
>       server MUST respond with a 400 (Bad Request) status code and then
>       close the connection.  If this is a response message received by
>       a proxy or gateway, the proxy or gateway MUST discard the
>       received response, send a 502 (Bad Gateway) status code as its
>       downstream response, and then close the connection.  If this is a
>       response message received by a user-agent, it SHOULD NOT
>       be used, but if it is the message-body
>       length is determined by reading the connection until it is
>       closed, and the user SHOULD be informed of the problem. 
>       Subsequent responses on the connection MUST NOT
>       be used.

I don't have a problem with the first change (duplicate headers
being allowed) or "Content-Length: n, n".

The latter changes don't work.  "it" is ambiguous, and
"SHOULD NOT be used" is a new requirement that no current browser
supports AFAIK.  And there are no subsequent responses on the
connection because the framing no longer works -- they all get
folded into that one response because the message length is
determined by connection close [in practice].

I did not specify any specific choice of how a user agent
might inspect the stream and make a safe choice about which
of the lengths actually work for that response because, AFAIK,
none of them do so now.  I'd love to be proven wrong about that
by a sudden desire of user agents to conform to a single behavior.
I don't think we can require anything more than it SHOULD be
indicated as an error.

....Roy
Received on Monday, 20 September 2010 22:52:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:25 GMT