Re: [#95] Multiple Content-Lengths

On 2010-10-13 22:57, William Chan (陈智昌) wrote:
> First bug report wrt to this change:
> http://code.google.com/p/chromium/issues/detail?id=59077.  Indeed, this
> is a duplicate Content-Length (not mismatching).
> ...

So it seems that due this type of bug reports, Chrome loosened the check 
to allow multiple instances when the values are identical (which is 
explicitly allowed in HTTPbis per the resolution of #95).

Furthermore, Firefox 7 is now doing similar checks, but adds more header 
fields (Location, Content-Disposition), and also has started to be picky 
about certain field values (such as C-L with a broken integer).

This is good. I'd like to thank the implementers that they were willing 
to "break" a few pages and deal with the bug reports, in order to make 
this improvement!

Best regards, Julian

Re: [#95] Multiple Content-Lengths

Invitation to connect on LinkedIn

Invitation to connect on LinkedIn

Proxy-Authorization with empty credentials

Hi all, I'm hoping someone can help here.

I've been trawling RFC2616 and 2617 for clarity on an issue a customer 
is having.

They have an AV product that does updates using HTTP, and has 
configuration settings for a proxy, and settings to enable/disable proxy 
auth and supply credentials.

The problem is the software sends Proxy-Authorization in all requests, 
using Basic, and no user/pass - just a base64 encoded ':'

Since the credentials are empty, we fail authorization, even though 
policy didn't require authorization, the existence of the 
Proxy-Authorization header in the request triggered our auth code.

The reason we go straight into our auth code on the existence of this 
header, is because with Basic auth, the client will commonly re-use the 
credentials it previously successfully validated, and going straight to 
check the creds saves a 407 and round trip.

I'm struggling to find any language in 2616 and 2617 that states that a 
Proxy-Authorization with empty creds is invalid, although it seems like 
an incredibly bad idea.

The customer contacted the vendor of the offending software, and they 
said it's by design and not considered a bug.

Maybe we need to clarify this going forward?  I think a client shouldn't 
send P-A unless they wish to authenticate, and shouldn't send Basic 
creds without clear directive from the user (since it's a potential 
credential leak).

Adrien

--

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

I-D draft-petersson-forwarded-for-01.txt

Hi.

The draft for the forwarded-for is finally updated. The main
revision is the extension of scope for the draft by adding a 
parametrized list.

http://www.ietf.org/id/draft-petersson-forwarded-for-01.txt

Please comment.

Best regards,
 Andreas Petersson, 
 Opera Software

Re: I-D draft-petersson-forwarded-for-01.txt

In message <20111005123338.320c38d4 <at> hetzer>, Andreas Petersson writes:

>http://www.ietf.org/id/draft-petersson-forwarded-for-01.txt
>
>Please comment.

]       proto-kv   = "proto=" ( "http" | "https" )

Given Speedy, Websockets and other such experiments, shouldn't this
allow any protocol-name ?

--

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@...         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Re: I-D draft-petersson-forwarded-for-01.txt

On 10/5/11 12:38 PM, Poul-Henning Kamp wrote:
> In message <20111005123338.320c38d4 <at> hetzer>, Andreas Petersson writes:
> 
>> http://www.ietf.org/id/draft-petersson-forwarded-for-01.txt
>>
>> Please comment.
> 
> ]       proto-kv   = "proto=" ( "http" | "https" )
> 
> Given Speedy, Websockets and other such experiments, shouldn't this
> allow any protocol-name ?
> 

Yes, I guess that sounds quite reasonable. But will every protocol
always only have one unique name, that everyone would use, without need
for discussion?

Another, perhaps a non-issue, would be name changes (somewhat like
jabber vs. xmpp or yp vs. nis).

/Andreas Petersson

Re: I-D draft-petersson-forwarded-for-01.txt

In message <4E8C9DFD.2090908@...>, Andreas Petersson writes:

>> ]       proto-kv   = "proto=" ( "http" | "https" )
>> 
>> Given Speedy, Websockets and other such experiments, shouldn't this
>> allow any protocol-name ?
>
>Yes, I guess that sounds quite reasonable. But will every protocol
>always only have one unique name, that everyone would use, without need
>for discussion?

We're not here to solve _all_ the worlds problems 

--

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@...         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Re: I-D draft-petersson-forwarded-for-01.txt

On Wed, 05 Oct 2011 20:12:13 +0200, Andreas Petersson wrote:
> On 10/5/11 12:38 PM, Poul-Henning Kamp wrote:
>> In message <20111005123338.320c38d4 <at> hetzer>, Andreas Petersson 
>> writes:
>>
>>> http://www.ietf.org/id/draft-petersson-forwarded-for-01.txt
>>>
>>> Please comment.
>>
>> ]       proto-kv   = "proto=" ( "http" | "https" )
>>
>> Given Speedy, Websockets and other such experiments, shouldn't this
>> allow any protocol-name ?
>>
>
> Yes, I guess that sounds quite reasonable. But will every protocol
> always only have one unique name, that everyone would use, without 
> need
> for discussion?
>
> Another, perhaps a non-issue, would be name changes (somewhat like
> jabber vs. xmpp or yp vs. nis).

Maybe establish a (lightweight!) registry? Or is there one already?

>
> /Andreas Petersson

--

-- 
Mark Nottingham
http://www.mnot.net/