- From: Alex Rousskov <rousskov@measurement-factory.com>
- Date: Mon, 17 Jun 2002 10:55:12 -0600 (MDT)
- To: ietf-http-wg@w3.org
Hi, RFC 2616, section 14.10 "Connection" has two similar MUSTs, one for all messages and one specifically for HTTP/1.0 messages: HTTP/1.1 proxies MUST parse the Connection header field [...] and, for each connection-token in this field, remove any header field(s) from the message with the same name as the connection-token. and A system receiving an HTTP/1.0 (or lower-version) message that includes a Connection header MUST, for each connection-token in this field, remove and ignore any header field(s) from the message with the same name as the connection-token. As you can see, the only real difference between the two requirements is that for HTTP/1.0 messages, matching headers must not only be removed, but also _ignored_. Testing the "remove" part is easy. I am trying to come up with a good case for HTTP/1.1 proxies that tests the "ignore" part. The short version of my question is: "Can anybody come up with a real-world case or at least a sane example, where the ``and ignore'' part of the lower requirement would matter?" On other words, can one auto-detect that the proxy is not ignoring the headers it removes? For details, please read on. So, I want to construct an HTTP/1.0 message with a header that, if not ignored by the proxy, will cause some auto-detectable or traceable action. Ideally, I need to do that for both requests and responses. This is a black-box testing. I cannot find any good headers that test the "ignore part". I assume that the original message was generated by an HTTP/1.1-aware agent and forwarder via an HTTP/1.0 proxy that does not understand Connection: and uses HTTP/1.0 message version. Connection: header field MUST NOT contain end-to-end headers, so I want to use hop-by-hop headers and extension headers when forming the test message. Moreover, any sane proxy will ignore any extension header so true hop-by-hop headers are the only ones left. They are: - Connection - Keep-Alive - Proxy-Authenticate - Proxy-Authorization - TE - Trailers - Transfer-Encoding - Upgrade Furthermore, I need a header that is not supported by HTTP/1.0 proxies and that requires some detectable action from an HTTP/1.1 proxy. Authentication headers are very cumbersome to test with. Remaining headers are: - Connection - Transfer-Encoding "Connection: Connection" is obviously not useful in this context. "Connection: Transfer-Encoding" is not good either because if HTTP/1.0 proxy ignored (and hence forwarded) Transfer-Encoding, things are already pretty broken, and the HTTP/1.1 proxy should probably notice Transfer-Encoding and react in some way other than ignoring it! Thus, I am tempted to conclude that no remotely possible real-world scenario would produce a combination of headers where violating the "and ignore" part of the RFC requirement would break things more than honoring that requirement. Can anybody confirm or provide a good example where honoring the "and ignore" requirement would be detectable? Thank you, Alex. P.S. I can build a test case by putting end-to-end headers such as Vary or Cache-Control into a Connection field, but that is quite unrealistic and violates HTTP/1.1.
Received on Monday, 17 June 2002 12:55:33 UTC