Re: Make Date header not required

On Mon, Aug 31, 2020 at 06:14:57PM +0300, Sergey Ponomarev wrote:
> The Date header MUST be added to the response but at the same time it may
> be omitted if the origin server doesn't have a good clock. It looks like
> the header is useful only if server or client have misconfigured time but
> the server also returns an Expires header that uses a fixed date.
> That's why the header was replaced with more robust Cache-Control that uses
> max-age with relevant time instead of fixed.
> 
> Also another real life example of usage of the Date is some clients that
> have blocked NTP and they tried to fetch time from google.com or 1.1.1.1.
> 
> Both examples of usage are not so popular and in most cases the Date header
> is just not needed.
> But when implementing a web server you want to be compliant with spec or
> just don't know how and where the Date is used exactly.
> In the next release of BusyBox httpd server for embedded devices the Date
> header can be disabled during a compilation. But this will make the server
> non RFC compatible.
> 
> Is it possible to change MUST to MAY for the header? And add a note when
> the header is really needed.

Well, it's not exactly written the way you suggested but rather like this:

    https://tools.ietf.org/html/rfc7231#section-7.1.1.2

    - an origin server must not send .. if it does not have a clock capable
      of providing a reasonable approximation...
    - may send a date in 1xx or 5xx
    - must send in all OTHER cases

So in short it is very likely reasonable to consider that users who compile
out the support for Date header in BusyBox are precisely those running on
small RTC-less machines, where it definitely makes sense not to send that
header field since there's no way to be certain about the delivered date.

In this regard, I'm already reading this MUST as a form of slightly
stronger SHOULD, which seems to match your needs.

Regards,
Willy

Received on Monday, 31 August 2020 15:54:48 UTC