- From: Richard Gibson <notifications@github.com>
- Date: Mon, 01 May 2023 11:14:59 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 1 May 2023 18:15:04 UTC
Duplicate of #551, which references https://github.com/httpwg/http-core/issues/202 that ultimately affected text in the successor of RFC 7231: [RFC 9110 section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110#section-9.3.1-6) (emphasis mine) > content received in a GET request has no generally defined semantics, **cannot alter the meaning or target of the request**, and might lead some implementations to reject the request and close the connection because of its potential as a request smuggling attack ([Section 11.2](https://www.rfc-editor.org/rfc/rfc9112#section-11.2) of [[HTTP/1.1](https://www.rfc-editor.org/rfc/rfc9110#HTTP11)]). A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported. An origin server SHOULD NOT rely on private agreements to receive content, since participants in HTTP communication are often unaware of intermediaries along the request chain. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1644#issuecomment-1530036049 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1644/1530036049@github.com>
Received on Monday, 1 May 2023 18:15:04 UTC