HTTP Upgrade Request Smuggling Draft from Ben Schwartz on 2023-08-21 (ietf-http-wg@w3.org from July to September 2023)

From: Ben Schwartz <bemasc@meta.com>
Date: Mon, 21 Aug 2023 19:54:00 +0000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Cc: "masque@ietf.org" <masque@ietf.org>
Message-Id: <BN8PR15MB3281A2DC0998BA2A24EF6211B31EA@BN8PR15MB3281.namprd15.prod.outlook.com>

Hi HTTPBIS + MASQUE,

In HTTPBIS at IETF 117, I mentioned some issues related to "optimistic" use of HTTP Upgrade and a theoretical Request Smuggling issue with connect-udp in HTTP/1.1.  Several commenters suggested that I write a separate draft on that topic, which I've now done:

Security Considerations for Optimistic Use of HTTP Upgrade
https://datatracker.ietf.org/doc/html/draft-schwartz-httpbis-optimistic-upgrade-00

Abstract: "The HTTP/1.1 Upgrade mechanism allows the client to request a change to a new protocol. This document discusses the security considerations that apply to data sent by the client before this request is confirmed, and updates RFC 9298 to avoid related security issues."

Please review.

--Ben Schwartz

Received on Thursday, 24 August 2023 10:53:47 UTC