Re: [#95] Multiple Content-Lengths

On 20.09.2010 10:50, Anne van Kesteren wrote:
> What exactly is the security issue then? Before I was told it's a
> potential security issue. If it's a security issue then the
> specification should probably not define recovery at all and user agents
> would have outstanding security advisories.

The security issue is that with conflicting length information, 
different recipients (proxies, user agents) may extract different 
payloads, *and* may differ in what part of the stream they use for the 
next message.

See <>.

The spec currently says that a message like this is broken. Origin 
servers are required to respond with 400 + closing the connection, 
clients are required to read until EOF + close the connection, plus 
signal an error.

The client behavior is some kind of recovery, and I'd be totally happy 
if we agreed that clients MUST NOT display the message. However I have 
my doubts that we can convince the browser implementers of that.

Best regards, Julian

Received on Monday, 20 September 2010 09:11:09 UTC