Re: NEW ISSUE: message-body in CONNECT response

On Nov 27, 2007, at 1:35 PM, Eric Lawrence wrote:

> Wouldn't "Connection: Close" be more appropriate than "Content- 
> Length: 0", as the latter implies that no content follows, while  
> clearly that's not correct if the response headers precede blobs of  
> HTTPS traffic?

No, close tells the client to close the connection after the message.
"Content-Length: 0" tells the client that this HTTP message ends
after the CRLFCRLF.  What follows after that message is not HTTP,
but it is still the same connection.

> A proxy that supports HTTPS tunneling is going to use Connection:  
> close semantics anyway, right?

Maybe. It is going to drop into relay mode, which may be an entirely
different piece of logic than the bit that decides when to close at
the end of a message.  It depends on how the proxy forwards messages.

> Vis--vis the idea of responding to a CONNECT request with a HTML  
> 2xx "login" page, it may be worth mentioning that this does not  
> work in IE6 or IE7. A user-agent which does support such responses  
> must be very careful to ensure that the security context of the  
> returned content is corrected to reflect its insecure nature.

Yep, that is why the message-body is required to be empty.


Received on Tuesday, 27 November 2007 22:22:07 UTC