- From: William A. Rowe Jr. <wrowe@rowe-clan.net>
- Date: Wed, 09 Mar 2011 17:06:08 -0600
- To: Adrien de Croy <adrien@qbik.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 3/9/2011 4:55 PM, Adrien de Croy wrote: > > > On 10/03/2011 11:44 a.m., Julian Reschke wrote: >> >> I can think of three ways for recipients to handle these: >> >> a) fail to parse C-L, and treat the message as invalid (closing the connection because >> of broken framing) >> >> b) accept the duplicate value, and use the C-L as if it wasn't repeated >> >> c) fail to parse C-L, and just treat the C-L header field as invalid, but continue >> processing by reading until the end of connection >> >> Smuggling could only happen if some recipients did c), right? Those that do this IMHO >> are already non-compliant, so I'm not sure how mandating b) helps... >> > > What should a proxy do? It has the task of putting something together to send a client. > > it seems to me the only safe option is a. It's also the only option that provides any > incentive for people to fix their sites. Well, d) was omitted, fail with a 400, having read the rest of the headers off the wire, but without draining the [misrepresented] body.
Received on Wednesday, 9 March 2011 23:07:48 UTC