HTTP Upgrade Request Smuggling Draft


In HTTPBIS at IETF 117, I mentioned some issues related to "optimistic" use of HTTP Upgrade and a theoretical Request Smuggling issue with connect-udp in HTTP/1.1.  Several commenters suggested that I write a separate draft on that topic, which I've now done:

Security Considerations for Optimistic Use of HTTP Upgrade

Abstract: "The HTTP/1.1 Upgrade mechanism allows the client to request a change to a new protocol. This document discusses the security considerations that apply to data sent by the client before this request is confirmed, and updates RFC 9298 to avoid related security issues."

Please review.

--Ben Schwartz

Received on Thursday, 24 August 2023 10:53:47 UTC