Hello I am a developer of this HTML5 game upload site https://game.nicovideo.jp/atsumaru/ <https://game.nicovideo.jp/atsumaru/> I have some question about RFC7540 section 10.5.1. Why server "CAN" send an HTTP 431 status code when receives a larger header block (not MUST)? In http/1.1 connection, server MUST respond 4xx status code when receives a larger header.(RFC7230) So, if user access a site that can upload any javascript code, and get large cookies, then we can send customized HTTP 4xx response which contains erasing cookie code. But, in http/2, server does not need to send HTTP 431 response, we will not have a chance to erase cookies. In actual implementaion, nginx will terminate http/2 session with ENHANCE_YOUR_CALM error without any HTTP responses, so chrome will display "cannot connect to server", So, we cannot send response which contains erasing cookie code to user who plays a game contains "Cookie Bomb". So, we have two questions. first question: why changed the text from "CAN" to "MUST" when recieves a large cookies(headers). second question: is this problem an implementation issue or a specification problem? Sincerely, Kazuki Yasufuku -- ******************************************* Kazuki Yasufuku Software Engeneer, UGC game platform section DWANGO Co., Ltd. E-MAIL:kazuki_yasufuku@dwango.co.jp <mailto:E-MAIL%3Akazuki_yasufuku@dwango.co.jp> *******************************************Received on Friday, 6 April 2018 14:15:22 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:59 UTC