2009/11/18 Mark Nottingham <
mn...@mnot.net>:
>
> On 18/11/2009, at 6:44 PM, Mike Belshe wrote:
>>
>> On Nov 17, 4:16 pm, Mark Nottingham <
m...@mnot.net> wrote:
>>> Why is the number of headers important to convey in the header block? The control blocks are already length-delimited.
>>
>> Just for convenience.
>
> I'm a little concerned about variation in implementations here. If one implementation uses the length to determine end of headers, and another uses the number of headers, it feels an awful lot like an HTTP response splitting attack...
There is difference. The length is of the entire frame and most of
the frames content is compressed. So I can think of a couple cases
here:
1) There is more headers than NV entries indicates. If this happens,
I think that all the other headers should be ignored, or the stream
should be closed with a protocol error. Either way, I don't see
anything bad here.
2) There are less name value pairs (headers) than NV entries
indicates. This should be the same as having junk data, and the
stream should be closed with a protocol error.
NV entries is not used for framing at all since it isn't actually a
length of the headers, but simply the number of headers that exists.
>
>>> At the least, it should be unsigned short instead of int16; however, for better interoperability with the current Web, I'd allow multiple instances of a header (some private applications of HTTP do shove a *lot* of data around in headers, and I think this will become more common over time; it would be a shame to see "FooHeader1", "FooHeader2" and "FooHeader3" used as a workaround for this, no matter how much we dislike big headers on the open Internet).
>>
>> Multiple instances means you need to look through the whole list to
>> verify that there is no other. I'd prefer just increasing the
>> length. The number of bytes saved here is not consequential, and
>> simplicity is key.
>
> The tradeoff here is that allowing multiple instances of a header makes it easy, for example, for an intermediary to append to a Via or X-Forwarded-For header without rewriting existing header lines.
>
> A bad outcome of disallowing them would be if intermediaries started rewriting the header name to obscure it when they want to change the value, as is often done today with the Connection header.
Humm, perhaps we should have some way of saying skip this NV pair. I
don't think this is really useful since we are requiring that any
intermediary uncompress the NV pairs to read and alter them and to
recompress them when writing them back out.