- From: Matt Menke <notifications@github.com>
- Date: Wed, 03 Feb 2021 08:37:01 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 3 February 2021 16:37:13 UTC
Chrome rejects incomplete headers over HTTPS, as an attack mitigation, but allows them over HTTP. That change resulted in very few bug reports. While the increased prevalence of HTTPS hopefully means the fallout of doing this over HTTP as well wouldn't be too bad, I have my doubts, since I suspect home-brew HTTP servers are much more likely to have this issue, and much less likely to be using HTTPS. I investigated removing a bunch of HTTP hacks years ago, but ran into issues with the first mitigation, which I believe I chose because it had the lowest use (Removing HTTP/0.9 support over ports other than 80, which is a potential security issue - may have chosen it for the security implications, actually), and gave up. I gathered stats at the time, but don't think we still have them. We may be able to bring back the logging code without too much difficulty, not sure. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/472#issuecomment-772645689
Received on Wednesday, 3 February 2021 16:37:13 UTC