Re: HTTPbis -10 drafts published : Connection header

On Jul 14, 2010, at 5:45 PM, Adrien de Croy wrote:

> that's quite an interesting scenario
> 
> if a proxy were to receive a request message with say
> 
> Connection: content-type
> 
> in it, what do you think should the proxy do?

Delete the content-type header, as required by HTTP/1.1.

> a) ignore it (not remove Content-Type)
> b) reject the message (client attempted exploit)
> c) something else
> 
> it may be clear enough for Content-Type, but what about some other header (e.g. header not known about by the proxy).  Should we have a requirement that a proxy should reject any message that has a token in the Connection header that is not a known hop-by-hop header?

That would be the complete opposite of the reason we have the
Connection header -- to indicate what headers are hop-by-hop.
We needed it precisely to indicate hop-by-hop extensions.

There is absolutely no risk in following the instruction
exactly as indicated.  The sender already has control over the
bits being sent, and your proxy should be enforcing its constraints
on what to forward *after* the message is processed for forwarding.

....Roy

Received on Thursday, 15 July 2010 01:18:15 UTC