https://bz.apache.org/bugzilla/show_bug.cgi?id=63932
--- Comment #13 from Michael Osipov <micha...@apache.org> --- (In reply to Konstantin Kolinko from comment #11) > (In reply to Michael Osipov from comment #8) > > > > I get the feeling that compression configuration must be moved sooner or > > later to a subelement <Compression> beneath a connector. > > Enabling compression globally like that may make one vulnerable to BREACH > exploit. Maybe controlling this feature from within a web application is a > way to go. (E.g. like sendfile feature can be used by DefaultServlet). I don't understand this?! Transparent compression is already on the Connector? All I am saying is to move those three attributes into a subelement. Maybe it would be better to move this completely to a valve?! Then you will have full control from the webapp. > https://en.wikipedia.org/wiki/BREACH > > > WDYT about adding a suffix and removing it on the fly like mod_deflate > > should do? > > I do not have a clue what you are talking about here. The proposal from mod_deflate was to transform ETag: "..." to "...-gzip", -br, etc. When the client presents the ETag "...-gzip" the compressor would remove the '-gzip" and the application would not notice that at all. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
