- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Mon, 12 Jun 2006 11:37:34 +0200
- To: "Julian Reschke" <julian.reschke@gmx.de>, "Ian Hickson" <ian@hixie.ch>
- Cc: "Gorm Haug Eriksen" <gormer@opera.com>, "Mark Nottingham" <mnot@yahoo-inc.com>, "Mark Baker" <distobj@acm.org>, "Anne van Kesteren" <annevk@opera.com>, "Pete Kirkham" <mach.elf@gmail.com>, "Web APIs WG (public)" <public-webapi@w3.org>
On Sun, 11 Jun 2006 22:02:15 +0200, Julian Reschke <julian.reschke@gmx.de> wrote: >> Wouldn't sending a body with a method that doesn't allow a body result >> in allowing request smuggling? > > Well, in only in a broken implementation. See > <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.3>: The request smuggling whitepaper demonstrated that major and widely used servers and proxy servers were broken, or parsed things differently in a way that enabled request smuggling... > "The presence of a message-body in a request is signaled by the > inclusion of a Content-Length or Transfer-Encoding header field in the > request's message-headers. A message-body MUST NOT be included in a > request if the specification of the request method (Section 5.1.1) does > not allow sending an entity-body in requests. A server SHOULD read and > forward a message-body on any request; if the request method does not > include defined semantics for an entity-body, then the message-body > SHOULD be ignored when handling the request." ..possibly because the final SHOULD really SHOULD have been a MUST..? -- Hallvord R. M. Steen Core QA JavaScript tester, Opera Software http://www.opera.com/ Opera - simply the best Internet experience
Received on Monday, 12 June 2006 09:35:24 UTC