Re: [#95] Multiple Content-Lengths

I think we need to balance the reluctance to assault users with error 
messages with the potential for mischief such responses could contain.

In the past there may not have been many real smuggling exploits that 
had any real damaging effect.  It would only take one vulnerability to 
be exploited on a wide scale to change user attitudes towards such 
things, and have users baying for blood - "you knew about this before, 
why didn't you do something about it!!!??!!!!"

I'm no PR person, but how you present it makes an enormous difference.

One could adopt the approach google takes with suspicious sites - post a 
big red page stating the site appears to be doing something potentially 
dangerous (the truth).  If the user really wishes, give them a button 
where they can proceed ignoring the warning.

Doing it this way provides a point of difference ("see we protect you 
from this as well") as opposed to yet another pointless nag dialog.

Plus it provides an enormous incentive for site operators to fix the 

On 20/09/2010 8:06 p.m., Anne van Kesteren wrote:
> On Mon, 20 Sep 2010 07:57:56 +0200, Mark Nottingham <> 
> wrote:
>> Two replied that they have concerns about displaying errors to end 
>> users. If they come on-list and discuss their concerns, we can 
>> discuss this more.
> I was one of those if I remember correctly. End users just do not 
> understand such error messages. And since they cannot do anything with 
> them either showing error messages to end users will just make them 
> confused, which gives them a bad product experience. It is exactly the 
> same problem with asking users if they are okay with doing the request 
> using the method CHICKEN to this other location. They'll just go "WTF" 
> hit "OK" and hope it works, which is not that great really. Or worse, 
> terminate the browser and start over.

Adrien de Croy - WinGate Proxy Server -

Received on Monday, 20 September 2010 08:47:34 UTC