Re: NEW ISSUE: Transfer-Encoding in 1.0 messages

On fre, 2007-11-23 at 11:20 +0100, Bjoern Hoehrmann wrote:

> I do not know any current setup that would cause this, and that browsers
> do not agree how to handle this is a good hint that there are none. What
> I can easily imagine though is that in ancient times broken servers with
> broken proxies would cause this, and that exploits might try to use this
> to bypass crude security measures.

I don't think we need to do anything more about this in the specs. It's
quite clear how it should be parsed by a HTTP/1.1 client (chunked), and
also quite clear that it's not allowed to be sent so if seen on the wire
then it's fishy, i.e. either a broken implementation or someone trying
nasty things.

It's not the point of the spec to enumerate every possible protocol
violation that may be seen outside of the specifications or how
recipients is to deal with each such case. Attempts to do so would
seriously encumber the usability of the specification.

We could add a general recommendation that recipients SHOULD reject
obviously malformed messages where the sender has violated MUST
requirements or MUST NOT restrictions. But I seriously doubt many
implemeters would care to do this even if explicitly recommended by the
specifications as there is too much broken crap out there, and users do
not want to know about others broken crap, they just want things to work
at best effort. So I prefer to leave this up to each implementer to
judge how strict they want to be in their parsers.


Received on Friday, 23 November 2007 11:35:08 UTC