Re: Whitespace before responses from Willy Tarreau on 2012-02-08 (ietf-http-wg@w3.org from January to March 2012)

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 8 Feb 2012 08:03:53 +0100
To: Mark Nottingham <mnot@mnot.net>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, httpbis Group <ietf-http-wg@w3.org>
Message-ID: <20120208070353.GC31149@1wt.eu>

On Wed, Feb 08, 2012 at 12:25:34PM +1100, Mark Nottingham wrote:
> 
> On 08/02/2012, at 12:22 PM, Roy T. Fielding wrote:
> 
> > On Feb 7, 2012, at 4:53 PM, Mark Nottingham wrote:
> > 
> >> Current text:
> >> """
> >>  In the interest of robustness, servers SHOULD ignore at least one
> >>  empty line received where a Request-Line is expected.  In other
> >>  words, if the server is reading the protocol stream at the beginning
> >>  of a message and receives a CRLF first, it SHOULD ignore the CRLF.
> >> """
> >> 
> >> Proposal:
> >> 
> >> """
> >>  In the interest of robustness, servers SHOULD ignore at least one
> >>  empty line received where a Request-Line is expected.  In other
> >>  words, if the server is reading the protocol stream at the beginning
> >>  of a message and receives a CRLF first, it SHOULD ignore the CRLF.
> >> 
> >>  Likewise, clients SHOULD ignore at least one empty line received
> >>  where a Status-Line is expected. 
> >> 
> >>  Note that this relaxation does not apply to other characters; ignoring
> >>  arbitrary non-whitespace characters before a message enables
> >>  cross-protocol attacks.
> >> """
> > 
> > No, there is no need nor desire for such a relaxation.  The first rule is
> > to allow for backwards-compatible behavior with clients that send CRLF at
> > the end of a request without including it in the request message body count.
> > This new addition has no corresponding need.  IE is just handling a
> > message error, which is entirely dependent on the type of client being used.
> 
> Yeah. I'm on the fence about this one; on the one hand, it's not a hard
> interop requirement, but on the other, pretty much every client does it,
> AFAICT.

And probably that if they do it, it's because some old buggy servers used to
send this CRLF at the end of a response. Eg: a CGI script doing an "echo" after
"cat $file". I don't know how hard it would be to collect statistics on such
bad practices. We'd need to find a commonly deployed client which does not do
it and which confirms there's no issue when not accepting a CRLF in a response.

Willy

Received on Wednesday, 8 February 2012 07:07:20 UTC