- From: Adrien de Croy <adrien@qbik.com>
- Date: Thu, 10 Mar 2011 11:55:31 +1300
- To: HTTP Working Group <ietf-http-wg@w3.org>
On 10/03/2011 11:44 a.m., Julian Reschke wrote: > > I can think of three ways for recipients to handle these: > > a) fail to parse C-L, and treat the message as invalid (closing the > connection because of broken framing) > > b) accept the duplicate value, and use the C-L as if it wasn't repeated > > c) fail to parse C-L, and just treat the C-L header field as invalid, > but continue processing by reading until the end of connection > > Smuggling could only happen if some recipients did c), right? Those > that do this IMHO are already non-compliant, so I'm not sure how > mandating b) helps... > What should a proxy do? It has the task of putting something together to send a client. it seems to me the only safe option is a. It's also the only option that provides any incentive for people to fix their sites. Regards Adrien >>> If we do, we *probably* need to adjust the header field ABNF >>> (because "x, x" doesn't parse), which I'd rather do not... >> >> No, we still require that duplicates not be sent. The ABNF >> only defines valid messages. This new requirement is for >> exception handling in the case of an invalid received message. > > Ack. > > Best regards, Julian >
Received on Wednesday, 9 March 2011 22:56:30 UTC