Re: NEW ISSUE: status of multipart/byteranges from Henrik Nordstrom on 2007-11-19 (ietf-http-wg@w3.org from October to December 2007)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Mon, 19 Nov 2007 12:53:52 +0100
To: Jamie Lokier <jamie@shareable.org>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, ietf-http-wg@w3.org
Message-Id: <1195473232.29661.5.camel@henriknordstrom.net>

On mån, 2007-11-19 at 02:51 +0000, Jamie Lokier wrote:

> A server shouldn't parse the next request as if there's an empty body,
> even if that's technically allowed, because it's a security hole, if
> we believe there is a likelihood of proxies calculating the message
> boundary differently when they forward it.

There is actually a slight conflict here. 4.3 Message Body says

   The presence of a message-body in a request is signaled by the
   inclusion of a Content-Length or Transfer-Encoding header field in
   the request's message-headers.

The correct resolution is to fix 4.4 Message Length to restrict rule 4
to 206 responses only.

I would like to also deprecate this message delimiting method as
obsolete. chunked encoding fills the gap nicely.

Regards
Henrik

Received on Monday, 19 November 2007 11:54:02 UTC