W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #311 Add limitations to Range to reduce its use as a denial-of-service tool

From: Yves Lafon <ylafon@w3.org>
Date: Wed, 15 Feb 2012 04:37:49 -0500 (EST)
To: Adrien de Croy <adrien@qbik.com>
cc: ietf-http-wg@w3.org
Message-ID: <alpine.DEB.1.10.1202150433090.11557@wnl.j3.bet>
On Thu, 5 Jan 2012, Adrien de Croy wrote:

> while we're on the topic of range requests, there are an increasing number of 
> agents that fail when range requests are responded to with a 200 and full 
> content.
> Things like
> * MS Windows update
> * iTunes
> * AppleTV client
> * various other updaters
> * anything relying on BITS in Windows.
> etc.
> This is a conflict with any gateway AV scanning which requires the entire 
> entity in order to scan it and which therefore removes Range headers from 
> requests.
> Could/should we add language to send a stronger message to agent authors to 
> deter them from such behaviour?  It makes little or no sense to post an error 
> about a misconfigured gateway simply because it downgrades all range requests 
> to full requests.  The entire entity is still available to be sent back to 
> the client, it just refuses to play if it can't get its way.

It remindes me of a WebDAV client that was waiting for the connection to 
be closed after receiving a successful response to a PUT. Keeping the 
connection open was making the client stall, expecting a specific 
behaviour of a particular class of servers.

So what you ask is actually more general, it's "Do not make assumptions on 
the behaviour of the server or a proxy, as observable behaviour can change 
over time" and this is specially true for optional parts of the spec, like 

Baroula que barouleras, au tiƩu toujou t'entourneras.

Received on Wednesday, 15 February 2012 09:37:52 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:50 UTC