W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [#95] Multiple Content-Lengths

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Sun, 17 Oct 2010 23:00:43 -0600
To: Mark Nottingham <mnot@mnot.net>
Cc: Julian Reschke <julian.reschke@gmx.de>, Maciej Stachowiak <mjs@apple.com>, Adam Barth <w3c@adambarth.com>, "William Chan (ι™ˆζ™Ίζ˜Œ)" <willchan@chromium.org>, "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <20101017230043.e639bac7.eric@bisonsystems.net>
Mark Nottingham wrote:
> > We can't simply break formerly-conforming implementations.
> We can if it's a security issue.

The security issue in question is "HTTP request smuggling" which is an
attack vector which always takes the form of a malicious request from a
user-agent.  All it is the other way around, is a broken server putting
itself at risk.  There's no justification for a MUST even if there is
consensus for it.

I thought the consensus the WG was after, was whether or not to discard
all but the first C-L or the last C-L.  The current proposed language
says read to connection close, instead.  This makes loads of sense to
me, instead of MUST fail hard based on what concern, exactly?

Received on Monday, 18 October 2010 05:01:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:55 UTC