- From: Henrik Nordstrom <hno@squid-cache.org>
- Date: Tue, 16 Jan 2007 01:06:25 +0100
- To: Mark Nottingham <mnot@mnot.net>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-Id: <1168905985.32694.39.camel@henriknordstrom.net>
mån 2007-01-15 klockan 17:35 +1100 skrev Mark Nottingham: > Background at: <http://lists.w3.org/Archives/Public/ietf-http-wg/ > 2006AprJun/0103> > > Does anybody have any new information / thoughts about this? The HTTP protocol message format is quite well defined in when a request body may be allowed.. pretty much at any time except where it is forbidden. But in many requests the meaning of said request body is undefined by HTTP/1.1, but may well be defined by other application protocols building on HTTP/1.1 as long as it doesn't conflict with HTTP/1.1. Naturally such uses will be quite limited, but still.. I know the thread perhaps a bit too well, being one of the guilty ones who instinctively blocked GET requests with a request body. But in retrospect I did knew what the specs said, just didn't like the effects it could have on the service provided by the software I write or having to cover odd undefined cases rarely if ever seen in real life.. so we blocked them to see if it would cause any problems, which it did some many years later.. (and by which time we had almost forgot why) But with applications already out in the field doing this kinds of requests for various reasons it will be a bit tricky to get them covered by the specs if straightened up to not allow request bodies where their use is nonsense under the semantics of HTTP/1.1. The perhaps biggest problem, apart from some implementations blocking such requests as "nonsense use of HTTP" is that it may be used as a covert channel to smuggle data out from a network. But there is a large number of those in HTTP and related services so not that big of a problem.. Hmm.. maybe there is also request smuggling attacks possible here if there is some server/proxy software ignoring that there may be a request body.. Regards Henrik
Received on Tuesday, 16 January 2007 00:07:13 UTC