Re: Whitespace before responses from Amos Jeffries on 2012-02-09 (ietf-http-wg@w3.org from January to March 2012)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 09 Feb 2012 17:33:57 +1300
To: ietf-http-wg@w3.org
Message-ID: <4F334CB5.7070704@treenet.co.nz>

On 8/02/2012 8:03 p.m., Willy Tarreau wrote:
> On Wed, Feb 08, 2012 at 12:25:34PM +1100, Mark Nottingham wrote:
>> On 08/02/2012, at 12:22 PM, Roy T. Fielding wrote:
>>
>>> On Feb 7, 2012, at 4:53 PM, Mark Nottingham wrote:
>>>
>>>> Current text:
>>>> """
>>>>   In the interest of robustness, servers SHOULD ignore at least one
>>>>   empty line received where a Request-Line is expected.  In other
>>>>   words, if the server is reading the protocol stream at the beginning
>>>>   of a message and receives a CRLF first, it SHOULD ignore the CRLF.
>>>> """
>>>>
>>>> Proposal:
>>>>
>>>> """
>>>>   In the interest of robustness, servers SHOULD ignore at least one
>>>>   empty line received where a Request-Line is expected.  In other
>>>>   words, if the server is reading the protocol stream at the beginning
>>>>   of a message and receives a CRLF first, it SHOULD ignore the CRLF.
>>>>
>>>>   Likewise, clients SHOULD ignore at least one empty line received
>>>>   where a Status-Line is expected.
>>>>
>>>>   Note that this relaxation does not apply to other characters; ignoring
>>>>   arbitrary non-whitespace characters before a message enables
>>>>   cross-protocol attacks.
>>>> """
>>> No, there is no need nor desire for such a relaxation.  The first rule is
>>> to allow for backwards-compatible behavior with clients that send CRLF at
>>> the end of a request without including it in the request message body count.
>>> This new addition has no corresponding need.  IE is just handling a
>>> message error, which is entirely dependent on the type of client being used.
>> Yeah. I'm on the fence about this one; on the one hand, it's not a hard
>> interop requirement, but on the other, pretty much every client does it,
>> AFAICT.
> And probably that if they do it, it's because some old buggy servers used to
> send this CRLF at the end of a response. Eg: a CGI script doing an "echo" after
> "cat $file". I don't know how hard it would be to collect statistics on such
> bad practices. We'd need to find a commonly deployed client which does not do
> it and which confirms there's no issue when not accepting a CRLF in a response.
>
> Willy
>
>

Willy, the rest of the thread is about *request* not response. Squid has 
not accepted response whitespace prefixes in a very long time and bug 
reports about that are very rare.

Squid does skip whitespace at the beginning of the request and in my 
recent experience it seems to be an active problem with scripts and 
certain poular PDF readers.

AYJ

Received on Thursday, 9 February 2012 04:34:30 UTC