- From: Alex Rousskov <rousskov@measurement-factory.com>
- Date: Fri, 16 Jul 2004 00:02:55 -0600 (MDT)
- To: Jamie Lokier <jamie@shareable.org>
- Cc: ietf-http-wg@w3.org
On Tue, 13 Jul 2004, Jamie Lokier wrote: > Note that the semantics of the hop-by-hop header Proxy-Authorization > are that it MAY be forwarded. So wording of the hop-by-hop section > should perhaps not say that Proxy-Authorization MUST be removed, as > it would be a contradiction. I hesitate opening another debate around this. We simply lack the proxy terminology (client-side actions versus server-side actions, etc.) to perfectly express what we want. I would just use the existing language, but make it normative. > > 2) attempts to increase the probability that old and new > > implementations will do the right thing (by listing all > > hop-by-hop headers in the Connection header) > > > > I do not have strong feelings about (2). Adding a few bytes to a few > > messages does not bother me much, but I am worried that, in some > > corner cases, listing more headers in Connection might expose > > currently undetected vulnerabilities in old products. > > I wouldn't be surprised to find some old products check for Connection > == "close", or !strncmp(connection, "close") if you see what I mean. I saw some _new_ products that do that. That is one reason why I am not pushing for (2). Thanks, Alex.
Received on Friday, 16 July 2004 02:03:01 UTC