- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 10 Mar 2011 00:10:03 +0100
- To: Adrien de Croy <adrien@qbik.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Mar 10, 2011 at 11:55:31AM +1300, Adrien de Croy wrote: > What should a proxy do? It has the task of putting something together > to send a client. > > it seems to me the only safe option is a. It's also the only option > that provides any incentive for people to fix their sites. The problem is that it does not work. When you go deploying your appliance at a large customer and some applications don't work behind it, whatever the bugs on the applications, the customer only says your appliance does not work while many other products do work there. That's why we got so many diverging workarounds for many issues. Everything that is declared illegal will still be done in a random way :-/ I even have one example. I had haproxy deployed at a bank and which was blocking a few invalid responses which contained a header named "Content/type". Guess what ? They disabled HTTP processing and only used TCP until I was able to provide an option with a scary name to relax the header parser, because fixing the app was expected to take 6 months (and it did take more). I'd really like that standards propose hints for how to handle exceptions when there's no alternative, without creating vulnerabilities and without having all products behave differently. Content smuggling exists precisely because everyone had to find a different solution to an issue that was not considered something that had to be handled at one point. Regards, Willy
Received on Wednesday, 9 March 2011 23:10:34 UTC