You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2020/04/23 15:11:37 UTC

[GitHub] [tomcat] markt-asf commented on issue #277: Refuse adding invalid HTTP 2.0 headers

markt-asf commented on issue #277:
URL: https://github.com/apache/tomcat/pull/277#issuecomment-618453474


   I've been reading the HTTP/2 RFC and there is more to this than simply blocking the `connection` header.
   1. What the HTTP/2 and HTTP/1.1 specs suggest we should be doing in parsing an attempt to set the `connection` header and then blocking that header *and* and connection level headers it specifies whether set previously or not.
   1. There is the general question of whether we should be targeting just HTTP/2 or whether we should be preventing applications doing this regardless of protocol.
   
   We need to figure out what we actually want to do first.
   
   I'm currently leaning towards introducing logging of attempts to set connection level headers with a warning that a future version will block the attempt. Probably with `UserDataHelper` to keep log volumes down even though this isn't really user data.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org