Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length? from Adrien de Croy on 2017-02-15 (ietf-http-wg@w3.org from January to March 2017)

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 15 Feb 2017 01:45:27 +0000
To: "Matthew Kerwin" <matthew@kerwin.net.au>
Cc: "Alex Rousskov" <rousskov@measurement-factory.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <eme1e3b988-5c11-4cc3-a930-bca665adceaf@bodybag>

Maybe this discussion is indicative of the underlying problems in the 
(lack of?) definition, which results in things like browsers accepting 
smaller payloads than advertised without complaining.


If we turn it around, under what circumstances could we consider that

a user-agent emitting a request message which includes a Content-Length 
header whose value is greater than the number of bytes it then transmits 
after the headers

Is not an error condition, or that the message should be processed as if 
it were complete?



I also wonder whether we would be having a similar discussion on the TLS 
WG about record lengths.

When security is at stake I thought we tended to take a firmer stand.


It seems from the language in 3.3.3 par 4 that the intention is that the 
C-L MUST match the body payload size.

The language in 3.3.2 however does not reinforce this.

Adrien



------ Original Message ------
From: "Matthew Kerwin" <matthew@kerwin.net.au>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Alex Rousskov" <rousskov@measurement-factory.com>; 
"ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Sent: 15/02/2017 2:18:43 PM
Subject: Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?

>
>
>On 15 February 2017 at 10:42, Adrien de Croy <adrien@qbik.com> wrote:
>>
>>
>>------ Original Message ------
>>From: "Alex Rousskov" <rousskov@measurement-factory.com 
>><mailto:rousskov@measurement-factory.com>>
>>To: "Adrien de Croy" <adrien@qbik.com>; "ietf-http-wg@w3.org" 
>><ietf-http-wg@w3.org>
>>Sent: 15/02/2017 1:32:04 PM
>>Subject: Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?
>>
>>>On 02/14/2017 04:18 PM, Adrien de Croy wrote:
>>>
>>>>  The only true size of a body is what you obtain by counting its 
>>>>bytes.
>>>
>>>I disagree. The only true size of a body is the Content-Length value 
>>>(in
>>>relevant contexts).
>>
>>What about for a sender piecing a message together.  Where does 
>>Content-Length come from?
>>
>>The content existed before you derived or obtained its length.
>>
>
>When we say "content" do we mean content of the message, content of the 
>representation, or content of the resource? I've always taken 
>content-length to mean the content of the representation[*] -- which, 
>since the demise of T-E, basically means message payload.
>
>When we say "body", I hope we're all always talking about message 
>payload. (i.e.: representation · Range · T-E)
>
>Reasoning about the _resource_ (including file size) is the purview of 
>the application, outside of HTTP transport or semantics. At least, 
>that's how it looks from my ivory tower.
>
>[*] something something Range something
>
>Cheers
>--
>   Matthew Kerwin
>   http://matthew.kerwin.net.au/

Received on Wednesday, 15 February 2017 01:46:11 UTC