________________________________
From: Gunter Van de Velde via Datatracker <noreply@ietf.org>
Sent: Monday, September 8, 2025 6:18 AM
...
> what is the specific mechanism by which it is considered to be “updating” RFC
> 9112 and RFC 9298? In other words, does it truly update these RFCs in a
> standards-track sense, or does it serve more as an explanatory security note?
It is a true Update with normative changes.
Section 5.3 provides explicit text changes to RFC 9298, including the following new text:
Clients MUST NOT send UDP packets optimistically in HTTP/1.x due
to the risk of request smuggling attacks.
Section 7 "updates RFC 9112 to include the remaining text of this section", which includes
Proxy clients that send CONNECT requests on behalf of untrusted TCP
clients MUST ...
and
As a mitigation, proxy servers MUST close the underlying connection when ...
...
GV> Do the xx in the above displayed "2xx" have a meaning? I assume tha the "2"
means successfull and that the xx is some code on the type of success? is there
a reference for these?
Yes, this is the recommended style from the HTTPBIS style guide when referring to the entire range of success status codes. See https://httpwg.org/admin/editors/style-guide#status-codes, referencing https://datatracker.ietf.org/doc/html/rfc9110#name-status-codes.
190 different origin (party 3). Post-transition protocols such as
191 WebSocket similarly are often used to convey data chosen by a third
192 party.
GV> Should there be a reference for the WebSocket protocol added?
OK, added: https://github.com/httpwg/http-extensions/commit/e89a37330f62abcfd5800d5d5699d25fb212a3dd
--Ben
Received on Monday, 8 September 2025 14:23:32 UTC