- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 7 Aug 2025 07:21:37 +0200
- To: Sean McArthur <sean@seanmonstar.com>
- Cc: Glenn Strauss <gs-lists-ietf-http-wg@gluelogic.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Aug 06, 2025 at 07:26:46PM -0400, Sean McArthur wrote: > Actually this specific gotcha did come up a while ago with hyper and curl. > As I read our comments again, we identified the same ambiguity. > Specifically how a client should retry without the header, but skipping > sending the body, on the same connection. > https://github.com/hyperium/hyper/issues/2791 Indeed, that's exactly what I had in mind! > hyper still decided that as long as there was a content-length header, the > payload is either expected or a conn should be closed. (In my mind, it > could be request smuggling to treat it as a new request.) I totally agree. Normally the header is pretty clear about this (and I also agree that with chunked encoding it would be possible to just send 0 CRLF CRLF and start a new request). But the wording of the spec leaves the door open to misinterpretation. I'd personally have added a warning in an extra sentence to remind that the receipt of a complete response doesn't terminate the request message and that the client must either finish the upload or close the connection. > I don't know if curl treats it differently. > > But yes, the confusion has happened before. Thanks for confirming my doubts ;-) Willy
Received on Thursday, 7 August 2025 05:21:48 UTC