Re: Clarification for RFC7231 CONNECT (section 4.3.6)

On Tue, Apr 28, 2015 at 03:38:58PM -0500, Nico Williams wrote:
> Section 4.3.6 of RFC7231 says:
>    A server MUST NOT send any Transfer-Encoding or Content-Length header
>    fields in a 2xx (Successful) response to CONNECT.  A client MUST
>    ignore any Content-Length or Transfer-Encoding header fields received
>    in a successful response to CONNECT.
> I find the second sentence strange: if a proxy sends a body in a 2xx
> response to a CONNECT and the client ignores it, the client will... find
> the response body and pass it along to the application as application
> protocol data!
> Surely that's not really the intent when a proxy violates the first
> sentence of the quoted paragraph by sending a response body.
> Even if no known proxies send a response body in 2xx CONNECT responses,
> it seems more plausible that proxies do just that than that they include
> non-zero-length Content-Length but no response body.

In fact it's worse. I've long seen proxies sending various content-length
values in response to CONNECT. Some send content-length:0, others send
1 million etc... I'm pretty sure they used to do that to workaround broken
intermediaries which ignore the method and only follow content-length, and
used to let a lot of data pass through. I think the text above is well
suited to cover that case. Don't forget that RFC723x aim at describing
what *is* deployed and how to best interoperate.


Received on Wednesday, 29 April 2015 05:01:46 UTC