[whatwg/fetch] Introduce a depth limit of nested content encodings (Issue #1933) from Peng-Yu Chen on 2026-06-09 (public-webapps-github@w3.org from June 2026)

From: Peng-Yu Chen <notifications@github.com>
Date: Tue, 09 Jun 2026 15:53:47 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1933@github.com>

starrify created an issue (whatwg/fetch#1933)

### What problem are you trying to solve?

This spec, together with some common HTTP client implements, allow nested content encodings. E.g. a web server may send `content-encoding: br, gzip, br, gzip` while compressing the body stream accordingly.

This spec does not impose any constraint on the depth of nested content encodings, and this ticket proposes to introduce one that is reasonably low, e.g. 10.

Relevant sections:
- In the currently rendered spec, [section 4.7. HTTP-network fetch](https://fetch.spec.whatwg.org/#http-network-fetch), step 18.
- In the current revision of the draft file `2025-12.bs`, at [around line 6760](https://github.com/whatwg/fetch/blob/30140d05af57eb9d24d43a2c18f108abac7964ce/review-drafts/2025-12.bs#L6760-L6806)

### What solutions exist today?

Seems none in this spec.

By the way, here are the behaviors of a few implements:
- Chromium: There is no explicit constraint. Thus the depth is implicitly limited by the allowed size of HTTP response headers. E.g. for HTTP/1.1 Chromium has a header read buffer of 256 KB, thus a web server may be able to request up to 87k nested decoders (e.g. `content-encoding: br,br,br,br,br,...<87k "br,"s>...,br`). [An issue](https://issues.chromium.org/issues/520829531) has been reported, and [a fix](https://chromium-review.googlesource.com/c/chromium/src/+/7902277) proposed to set a limit of 10.
- Firefox: The implement accepts up to 16 nested decoders, and ignores the rest by sending the remaining stream as-is ([code](https://github.com/mozilla-firefox/firefox/blob/f19dd05bb08e26d46137ce52924e35ff7a501dfe/netwerk/protocol/http/HttpBaseChannel.cpp#L1557-L1562)).
- curl/libcurl: Accepts up to 4 nested decoders, and raises an error to abort the response if exceeded ([code](https://github.com/curl/curl/blob/master/lib/content_encoding.c#L784-L789)).

### How would you solve it?

To explicitly set an upper limit, e.g.:
```diff
-If codings is null or failure, then set filteredCoding to the empty string.
+If codings is null or failure, or if codings's size is greater than 10, then set filteredCoding to the empty string.
Otherwise, if codings’s size is greater than 1, then set filteredCoding to "multiple".
```

### Anything else?

_No response_

--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1933
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1933@github.com>

Received on Tuesday, 9 June 2026 22:53:51 UTC