Suspected ambiguity in H1 around Expect: 100-continue

Hi,

while we were discussing with Kazuho and Martin last week around a
possible use of Expect for incremental requests, I came up with a doubt
on a particular point of Expect: 100-continue, which is whether or not
in HTTP/1 it's still permitted to reuse the connection when the request
got a final response before uploading the contents.

It turns out that I'm not seeing anything in the spec about this, leading
me to suspect that it's permitted to reuse the connection. But at the same
time it's encouraged that the client doesn't wait forever. So for me this
means that there could be an ambiguity about what follows on the wire after
an immediate response:

   client                                              server

   POST / HTTP/1.1
   host: foo
   content-length: 1000
   expect: 100-continue
       ....
     <wait>
                                    ...  <---  HTTP/1.1 403 forbidden
   finally send body ---> ...
                     <--- ... 403
                                    ...  --->  BODY

If the body contains what looks like a new request, the server will
happily take it as the next one. Of course we don't have this problem
with H2/H3, but I've looked at RFC9112 and didn't find anything special
regarding reuse of the connection in this case. Did I miss anything ?

I think that any final response to a request holding an Expect header
should always be emitted with a connection: close header in H1 to avoid
such issues. It might not always be great of course (e.g. re-authenticate)
but I'm not seeing a non-ambiguous sequence without this.

Thanks,
Willy

Received on Wednesday, 6 August 2025 21:39:20 UTC