Re: p2: Expect: 100-continue and "final" status codes

#Expect 100-continue without a body

If a client sends a request without a body yet with a "Expect:
100-continue" header, the request ought to be considered a bad request,
because of a previous requirement:

   o  A client MUST NOT send an Expect header field with the "100-
      continue" expectation if it does not intend to send a payload
      body.

However a server may not be able to detect all bad requests. If it sees a
request without a body, it may simply assume that there's no 100-continue
expectation.

The spec may add a leeway for server

   o  Upon receiving a request with "100-continue" expectation yet without
a message body (i.e. both Transfer-Encoding and Content-Length are
missing), an origin server SHOULD either respond with 400 (Bad Request), or
ignore the expectation.


#Performing request method without reading request body

I don't understand why the origin server must not perform the request
method if it opts not to read the request body. Even though it's probably
the right thing to do in almost all cases, do we have to make it an
absolute requirement?


#Managing connection

The last requirement for the origin server talks about requests *without* a
"100-continue" expectation. Therefore it should not be in this section. The
subject is covered very well in p1#6.6 already, I think we can simply
delete it from this section.

On the other hand, the spec does not address connection management
adequately in the most important use case of the section. It currently says
(paraphrasing)

    upon receiving a request that includes the 100-continue expectation, if
the origin server responds with a final status code instead of 100
(Continue), after sending the response, it may either close the connection
or continue to read and discard the rest of the request.

I think we can give better advice than that. If a server responds with a
final status code instead of 100 (Continue)

1. The response must be the last response on the connection. The response
should contain "Connection: close" header. After the response is written,
the server must initiate a lingering close of the connection (p1#6.6).

2. If the client receives a final status code instead of 100 (Continue), it
should stop sending request body if it is doing so; it must close the
connection after the response is received.

This is to avoid the RST problem if the client decides to start to write
request body before receiving any response from the server.


Zhong Yu


On Tue, Apr 23, 2013 at 2:22 AM, Mark Nottingham <mnot@mnot.net> wrote:

> p2 5.1.1.1 explains the semantics of 100-continue: "If the origin server
> responds with a final status code, it must not have performed the request
> method and may either close the connection or continue to read and discard
> the rest of the request."
>
> In my (admittedly quick) testing, pretty much nobody does this, at least
> by default; i.e., if I send a GET to a server with Expect: 100-continue,
> it's going to give me a 200 or 30x, not a 417. Sure, they might send 417
> for a request with a body, but as written pretty much no one is conformant.
>
> One thing we could do would be to only place requirements upon proxies and
> servers when Expect: 100-continue is on a request with a body.
>
> Stepping back, though, I have to wonder if it's reasonable to only allow
> 100 (Continue) or, effectively, an error (since the request can't be
> "applied") in the presence of Expect: 100-continue. I've seen many
> implementations that purposefully ignore Expect: 100-continue and send back
> 200 (OK) responses to avoid the interop problems that expect/continue
> brings.
>
> OTOH if we do maintain the notion that a final response to an Expect:
> 100-continue request needs to NOT be applied on the server, we should use
> more specific terminology (i.e., say that it needs to be a 4xx or 5xx
> response status, not just a "final response.").
>
> Thoughts?
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>
>