arkanovicz commented on issue #277: URL: https://github.com/apache/tomcat/pull/277#issuecomment-617075551
> Could you expand the SSE acronym please. I want to make sure I understand you correctly. [Server-Side Events](https://html.spec.whatwg.org/multipage/server-sent-events.html) > Code format issues are opening braces `{` should not be on a new line and multi-line comments either use `//` before every line or, if the `/* ... */` style is used each intermediate line starts with an aligned `*` Ok, noted. > More generally... > > It would be worth reviewing the HTTP/2 spec to check if there are any other headers that are invalid for HTTP/2. To my knowledge, only the Connection headers. > The global blocking off applications setting Connection headers seems reasonable at first consideration but needs more thought/review in case there are use cases where it is arguably valid / necessary to do so. At best, if the faulty header doesn't provoke an error (required by the specs), it will be ignored. Here's what the spec says: > Intermediaries that process HTTP requests or responses (i.e., any intermediary not acting as a tunnel) MUST NOT forward a malformed request or response. Malformed requests or responses that are detected MUST be treated as a stream error (Section 5.4.2) of type PROTOCOL_ERROR. > For malformed requests, a server MAY send an HTTP response prior to closing or resetting the stream. Clients MUST NOT accept a malformed response. Note that these requirements are intended to protect against several types of common attacks against HTTP; they are deliberately strict because being permissive can expose implementations to these vulnerabilities. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
