- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 6 Aug 2025 23:39:14 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
Hi,
while we were discussing with Kazuho and Martin last week around a
possible use of Expect for incremental requests, I came up with a doubt
on a particular point of Expect: 100-continue, which is whether or not
in HTTP/1 it's still permitted to reuse the connection when the request
got a final response before uploading the contents.
It turns out that I'm not seeing anything in the spec about this, leading
me to suspect that it's permitted to reuse the connection. But at the same
time it's encouraged that the client doesn't wait forever. So for me this
means that there could be an ambiguity about what follows on the wire after
an immediate response:
client server
POST / HTTP/1.1
host: foo
content-length: 1000
expect: 100-continue
....
<wait>
... <--- HTTP/1.1 403 forbidden
finally send body ---> ...
<--- ... 403
... ---> BODY
If the body contains what looks like a new request, the server will
happily take it as the next one. Of course we don't have this problem
with H2/H3, but I've looked at RFC9112 and didn't find anything special
regarding reuse of the connection in this case. Did I miss anything ?
I think that any final response to a request holding an Expect header
should always be emitted with a connection: close header in H1 to avoid
such issues. It might not always be great of course (e.g. re-authenticate)
but I'm not seeing a non-ambiguous sequence without this.
Thanks,
Willy
Received on Wednesday, 6 August 2025 21:39:20 UTC