- From: Adrien de Croy <adrien@qbik.com>
- Date: Thu, 15 Jul 2010 13:50:09 +1200
- To: Willy Tarreau <w@1wt.eu>
- CC: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
ok, but what about from RFC2616 S 14.10
Message headers listed in the Connection header MUST NOT include end-
to-end headers, such as Cache-Control.
there are only 4 types of header (AFAICT)
general-header
request-header
response-header
entity-header
any unknown header is an extension header, and is treated as an entity
header.
All entity headers are end to end are they not?
Therefore it's illegal to specify any entity header in the Connection
header.
Adrien
On 15/07/2010 1:17 p.m., Roy T. Fielding wrote:
> On Jul 14, 2010, at 5:45 PM, Adrien de Croy wrote:
>
>
>> that's quite an interesting scenario
>>
>> if a proxy were to receive a request message with say
>>
>> Connection: content-type
>>
>> in it, what do you think should the proxy do?
>>
> Delete the content-type header, as required by HTTP/1.1.
>
>
>> a) ignore it (not remove Content-Type)
>> b) reject the message (client attempted exploit)
>> c) something else
>>
>> it may be clear enough for Content-Type, but what about some other header (e.g. header not known about by the proxy). Should we have a requirement that a proxy should reject any message that has a token in the Connection header that is not a known hop-by-hop header?
>>
> That would be the complete opposite of the reason we have the
> Connection header -- to indicate what headers are hop-by-hop.
> We needed it precisely to indicate hop-by-hop extensions.
>
> There is absolutely no risk in following the instruction
> exactly as indicated. The sender already has control over the
> bits being sent, and your proxy should be enforcing its constraints
> on what to forward *after* the message is processed for forwarding.
>
> ....Roy
>
>
>
Received on Thursday, 15 July 2010 01:50:49 UTC