- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 15 May 2018 20:18:18 +1000
- To: "Julian F. Reschke" <julian.reschke@gmx.de>
- Cc: Willy Tarreau <w@1wt.eu>, Kazuho Oku <kazuhooku@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
> On 15 May 2018, at 8:06 pm, Julian Reschke <julian.reschke@gmx.de> wrote: > > On 2018-05-15 11:46, Mark Nottingham wrote: >>> But we're back to the problem Julian raised which is : >>> >>> When Structured Headers parsing fails, the header is discarded >>> >>> Booleans are different from integers. Booleans indicate a status. Eg: >>> "safe" vs "unsafe". Discarding the "unsafe" status because we failed to >>> parse it is dangerous. >>> >>> Actually I'm starting to think that the rule >>> consisting in silently discarding a header field that fails to parse is >>> the problem here. Normally we're supposed to return "400 bad req" on >>> parsing errors, and I fear we're becoming too lenient on parsing and >>> introduce a new class of problems. >> 400 is for HTTP-level parsing issues; e.g., message delimitation -- at least from generic HTTP implementations. Not being able to parse an extension header is a totally different thing. > > 400 is for anything caused by the client, and not covered by a more specific 4xx code. Yes, but its use is not required upon any error by the client. > It might make sense to define a new 4xx code to cover the case of a syntax error in a request header field value. Do we have examples of extension headers needing / doing this? None of the ones in recent memory do (e.g., Access-Control-Allow-*, Accept-Patch, Accept-Post, ALPN, Alt-Used, Cookie (bis), HTTP2-Settings, Origin, Prefer). That's not to say that we'll never encounter another header that justifies a hard error reflected in a status code, just that it doesn't seem common, so we might be optimising (well, specifying) prematurely here. I would say we could define a "SH-Errors-Encountered" header to stick onto a 400, but I think that creates a more complex, coupled protocol than we want here (YMMV), and it would encourage header authors to generate that 400, rather than having safe defaults -- which is I think the pattern we want them to be following. Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Tuesday, 15 May 2018 10:18:48 UTC