W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #311 Add limitations to Range to reduce its use as a denial-of-service tool

From: Yves Lafon <ylafon@w3.org>
Date: Wed, 15 Feb 2012 04:37:49 -0500 (EST)
To: Adrien de Croy <adrien@qbik.com>
cc: ietf-http-wg@w3.org
Message-ID: <alpine.DEB.1.10.1202150433090.11557@wnl.j3.bet>
On Thu, 5 Jan 2012, Adrien de Croy wrote:

>
> while we're on the topic of range requests, there are an increasing number of 
> agents that fail when range requests are responded to with a 200 and full 
> content.
>
> Things like
>
> * MS Windows update
> * iTunes
> * AppleTV client
> * various other updaters
> * anything relying on BITS in Windows.
>
> etc.
>
> This is a conflict with any gateway AV scanning which requires the entire 
> entity in order to scan it and which therefore removes Range headers from 
> requests.
>
> Could/should we add language to send a stronger message to agent authors to 
> deter them from such behaviour?  It makes little or no sense to post an error 
> about a misconfigured gateway simply because it downgrades all range requests 
> to full requests.  The entire entity is still available to be sent back to 
> the client, it just refuses to play if it can't get its way.

It remindes me of a WebDAV client that was waiting for the connection to 
be closed after receiving a successful response to a PUT. Keeping the 
connection open was making the client stall, expecting a specific 
behaviour of a particular class of servers.

So what you ask is actually more general, it's "Do not make assumptions on 
the behaviour of the server or a proxy, as observable behaviour can change 
over time" and this is specially true for optional parts of the spec, like 
ranges.

-- 
Baroula que barouleras, au tiƩu toujou t'entourneras.

         ~~Yves
Received on Wednesday, 15 February 2012 09:37:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT