[GitHub] [trafficserver] sudheerv commented on pull request #7875: Restrict HTTP versions allowed on the HTTP request line

[GitBox <gi...@apache.org>]

sudheerv commented on pull request #7875:
URL: https://github.com/apache/trafficserver/pull/7875#issuecomment-847472511


   > I don't have a strong opinion on whether we allow the invalid request line. However, I think the restriction should be either a) accept all the versions (i.e. `1.1`, `1.0`, `2.0` and `3.0`) that are on the RFC you quoted && can be handled by ATS , or b) accept only `1.1` and `1.0` that are the only valid versions in reality.
   > 
   > Option a) could be complicated. While ATS has experimental support for H3, it is only available if ATS is built with a SSL library that supports QUIC (special OpenSSL or BoringSSL). We may want to have `ifdef` in the function if we take option a). This is why I wanted you to clarify what you mean by "supported". Strictly speaking, we should check whether ALPN (or NPN) is available to say `2.0` is supported in that sense.
   > 
   > My biggest question was why the function doesn't allow 3.0 where it allows 2.0, but now I'm inclined to option b) because of the complexity above. I don't see benefits to have the complicated function at the moment.
   
   +1 
   
   Agree with the reasoning. Updated to remove HTTP/2.0 as well for consistency. 
   
   Thanks for the review!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org