- From: Willy Tarreau <w@1wt.eu>
- Date: Sat, 16 May 2020 07:50:42 +0200
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Julian Reschke <julian.reschke@gmx.de>, mnot@mnot.net, phk@varnish-cache.org, last-call@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, barryleiba@gmail.com, draft-ietf-httpbis-header-structure@ietf.org
On Sat, May 16, 2020 at 05:42:21AM +0000, Poul-Henning Kamp wrote: > -------- > In message <3aa18f59-889b-bb3e-289d-0936bb18a9a8@gmx.de>, Julian Reschke writes > : > > >I have no idea what the exact proposal would be. Fail when multiple > >instances are there? > > That has always been my stance: Multiple instances of the same > header should have been banned long ago, ideally before the > Cookie-Mistake allowed the total plunder of our privacy. I disagree. Lots of components by then already needed to append "connection: close", "cache-control: no-cache", "x-forwarded-for: foo" and so on without having the ressources required to check for their existence, or having the programmatic flexibility to let the user express what to do. Don't forget that 20 years ago this was very common and the amount of available CPU and RAM wasn't the same as today. I think that the current definition is fine and reasonable. It doesn't pose any problem as long as those who care about the field's value are able to reject partial values. Those in the middle who aggregate the partial values are not impacted if they don't use it, so the real recipient for this header is the last one which either sees invalid, partial values, or a complete, valid one. Willy
Received on Saturday, 16 May 2020 05:51:08 UTC