- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 14 Jul 2010 18:17:45 -0700
- To: Adrien de Croy <adrien@qbik.com>
- Cc: Willy Tarreau <w@1wt.eu>, Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Jul 14, 2010, at 5:45 PM, Adrien de Croy wrote: > that's quite an interesting scenario > > if a proxy were to receive a request message with say > > Connection: content-type > > in it, what do you think should the proxy do? Delete the content-type header, as required by HTTP/1.1. > a) ignore it (not remove Content-Type) > b) reject the message (client attempted exploit) > c) something else > > it may be clear enough for Content-Type, but what about some other header (e.g. header not known about by the proxy). Should we have a requirement that a proxy should reject any message that has a token in the Connection header that is not a known hop-by-hop header? That would be the complete opposite of the reason we have the Connection header -- to indicate what headers are hop-by-hop. We needed it precisely to indicate hop-by-hop extensions. There is absolutely no risk in following the instruction exactly as indicated. The sender already has control over the bits being sent, and your proxy should be enforcing its constraints on what to forward *after* the message is processed for forwarding. ....Roy
Received on Thursday, 15 July 2010 01:18:15 UTC