- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 10 Jul 2013 13:33:12 +0200
- To: Jeff Pinner <jpinner@twitter.com>
- CC: Michael Sweet <msweet@apple.com>, Martin Thomson <martin.thomson@gmail.com>, list <ietf-http-wg@w3.org>
On 2013-07-09 22:59, Jeff Pinner wrote: > I am all for adding text to the "Additional HTTP > Requirements/Considerations" sections that discuss how to upgrade from > HTTP/1.1 to HTTP/2.0, including what to do about how to handle specific > headers, Expect and Content-Length / Transfer-Encoding included. This > would be useful not just to implementers migrating to HTTP/2.0 but also > to proxies that upgrade/downgrade the protocol version. > > That being said, the requirements around Message Length in HTTP/1.1 are > non-trivial and given that we want to support interoperability, I'd like > to minimize adding additional requirements (especially those with > conflicting semantics) in the HTTP/2.0 spec. > > P.S. the httpbis messaging draft states: > > If a message is received with both a Transfer-Encoding and a > Content-Length header field, the Transfer-Encoding overrides the > Content-Length. Such a message might indicate an attempt to > perform request or response smuggling (bypass of security-related > checks on message routing or content) and thus ought to be > handled as an error. A sender MUST remove the received Content- > Length field prior to forwarding such a message downstream. > > > it would be nice to strengthen that language so that it matches the new HTTP/2.0 requirement. > ... My 2 cents: HTTPbis says what it says based on a long discussion of the topic. IMHO simply saying "should be aligned with whatever 2.0 says" is not sufficient to change that. Best regards, Julian
Received on Wednesday, 10 July 2013 11:33:51 UTC