Re: [tomcat] branch main updated: Update the default HEAD response to exclude payload headers
Konstantin,
On 1/20/23 04:39, Konstantin Kolinko wrote:
чт, 19 янв. 2023 г. в 23:41, :
changelog.xml
index 7570715faa..9fd2f679a3 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -125,6 +125,10 @@
Implement the new Servlet API methods for setting character encodings
that accept {@code Charset} objects. (markt)
+
+The default HEAD response no longer includes the payload HTTP header
+fields as per section 9.3.2 of RFC 9110. (markt)
+
1. I think that you are actually referring to section 4.3.2."HEAD" of RFC 7231.
I do see words (an explicit "MAY") that allow such behaviour in
4.3.2.of RFC 7231,
but I fail to see them in 9.3.2 of RFC 9110.
I mean that RFC 7231 explicitly says
"except that the payload header fields (Section 3.3) MAY be omitted"
I do not see such words in RFC 9110.
and I do not see the term "payload HTTP header fields" (as mentioned
in our changelog) in RFC 9110.
I wish that RFC 9110 were more clear.
2. Trying to investigate, I see the following:
1) According to "B.3. Changes from RFC 7231" of RFC 9110, there was a
rename of terms:
[quote]
The terms "payload" and "payload body" have been replaced with
"content", to better align with its usage elsewhere (e.g., in field
names) and to avoid confusion with frame payloads in HTTP/2 and
HTTP/3. (Section 6.4)
[/quote]
2) A consequence is that "3.3. Payload Semantics" of RFC 7231 became
"6.4.1. Content Semantics " in RFC 9110.
The table listing "Payload header fields" in section 3.3 of RFC 7231
is gone in RFC 9110, and the term is gone.
3. I wonder whether it makes sense to make this feature configurable.
- I do not like it to be configurable, but I have a vague feeling that
I "know" about Content-Length header in responses to HEAD requests,
and that I used it for something, but I do not remember the details.
If one really used the value, I agree that such code (relying on a
Content-Length header received in response to a HEAD request) is
fragile. Has anyone seen such code in the wild?
I haven't personally used this, but I could imagine using a HEAD request
specifically for the purposes of discovering the size of a resource
without actually fetching the entire thing.
I can't imagine any other way to do it, even with creative use of range
requests.
- I agree that removing "Content-Length" and other headers makes
sense, as it aligns these responses with other no-content responses,
and as such makes behaviour more robust (and in this sense more
secure).
As such, it makes sense to backport it to earlier versions.
- It looks that we may omit any headers per 9.3.2. of RFC 9110, and
not only those four listed in 3.3 of RFC 7231:
First, 9.3.2. of RFC 9110 says "The server SHOULD send the same header fields",
It is "SHOULD", not "MUST".
Second, it mentions as an example that the "Vary" header may differ.
- Looking for examples in the wild,
https://stackoverflow.com/a/3854872
has an example of "Content-Length" / "Transfer-Encoding" headers being
present in responses generated in 2010.
4. Maybe keep this as is for Tomcat 11, but change the words in
changelog. They should not say "payload" when referring to RFC 9110,
+1 to being consistent with the RFC being referenced.
-chris
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: RFC 9218 priorities - back-port?
Mark, On 1/20/23 14:11, Mark Thomas wrote: Hi all, You will have seen I've just committed the updated priorities implementation for HTTP/2. The open question is whether or not we want to back-port this and if so, how far. Thoughts? Shall we let a release or two of Tomcat 11 go by to see if there are any problems reported in the wild before back-porting? Or is this the kind of thing that will be much easier to back-port today than, say, in March/April? -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[ANN] Apache Tomcat 8.5.85 available [CORRECTION]
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.85. [This post corrects the previous announcement on 2023-01-19 which contained the wrong version number in the subject line. Both posts refer to the same actual release from 2023-01-19.] Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 8.5.85 is a bugfix and feature release. The notable changes compared to 8.5.84 include: - The default value of AccessLogValve's file encoding is now UTF-8. - Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. - When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection. - Change the default of the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless the EL library is running on Tomcat in which case the default remains false as the EL library is already called from within a privileged block and skipping the unnecessary privileged block improves performance. Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: https://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0: https://tomcat.apache.org/migration.html Please note that Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024. For more information please visit https://tomcat.apache.org/tomcat-85-eol.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 9 [2023/01/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |53602|Ver|Enh|2012-07-25|Support for HTTP status code 451 | |57505|New|Enh|2015-01-27|Add integration tests for JspC| |58530|New|Enh|2015-10-23|Proposal for new Manager HTML GUI | |58548|Inf|Enh|2015-10-26|support certifcate transparency | |58859|New|Enh|2016-01-14|Allow to limit charsets / encodings supported by T| |59750|New|Enh|2016-06-24|Amend "authenticate" method with context by means | |60997|New|Enh|2017-04-17|Enhance SemaphoreValve to support denied status an| |61971|New|Enh|2018-01-06|documentation for using tomcat with systemd | |62048|New|Enh|2018-01-25|Missing logout function in Manager and Host-Manage| |62072|New|Enh|2018-02-01|Add support for request compression | |62405|New|Enh|2018-05-23|Add Rereadable Request Filter | |62488|New|Enh|2018-06-25|Obtain dependencies from Maven Central where possi| |62611|Inf|Enh|2018-08-09|Compress log files after rotation | |62773|New|Enh|2018-09-28|Change DeltaManager to handle session deserializat| |62814|New|Enh|2018-10-10|Use readable names for cluster channel/map options| |62843|New|Enh|2018-10-22|Tomcat Russian localization | |62964|Inf|Enh|2018-11-29|Add RFC7807 conformant Problem Details for HTTP st| |63023|New|Enh|2018-12-20|Provide a way to load SecurityProviders into the s| |63049|New|Enh|2018-12-31|Add support in system properties override from com| |63237|New|Enh|2019-03-06|Consider processing mbeans-descriptors.xml at comp| |63389|New|Enh|2019-04-27|Enable Servlet Warmup for Containerization| |63493|New|Enh|2019-06-10|enhancement - add JMX counters to monitor authenti| |63505|New|Enh|2019-06-14|enhancement - support of stored procedures for Dat| |63545|New|Enh|2019-07-06|enhancement - add a new pattern attribute for logg| |63943|Opn|Enh|2019-11-20|Add possibility to overwrite remote port with info| |63983|Ver|Cri|2019-12-03|Jasper builds-up open files until garbage collecti| |64230|New|Enh|2020-03-15|Allow to configure session manager to skip expirin| |64395|New|Enh|2020-04-30|Windows Installer should offer an option to select| |65208|New|Enh|2021-03-29|Multi-threaded loading of servlets| |65302|New|Enh|2021-05-12|Add support for setting com.sun.jndi.ldap.tls.cbty| |65778|Opn|Enh|2022-01-01|Don't create URL from string | |65779|Inf|Enh|2022-01-01|Introduce CATALINA_BASE_DATA | |66419|New|Nor|2023-01-12|Function with varargs argument fails for single ar| +-+---+---+--+--+ | Total 33 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 10 [2023/01/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |64353|New|Enh|2020-04-15|Add support for accessing server certificate from | |64549|New|Enh|2020-06-23|create a project module to launch Tomcat in OSGi | |64550|New|Enh|2020-06-23|create a project module to launch Tomcat in JPMS | |65124|New|Enh|2021-02-03|Inefficient generated JSP code| |65267|New|Enh|2021-04-27|Implement mod_headers like filter | |65391|New|Enh|2021-06-19|Additional user attributes queried by (some) realm| |65635|New|Enh|2021-10-15|Methods to return auth errors | |65770|New|Enh|2021-12-28|Make keys reload automatically| |66125|New|Enh|2022-06-16|JMProxy - enhance security restrictions | |66191|New|Enh|2022-08-01|compile taglibs that are not (yet) included in jsp| |66406|New|Enh|2023-01-02|JULI ClassLoaderLogManager creates multiple logger| +-+---+---+--+--+ | Total 11 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Connectors [2023/01/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |46767|New|Enh|2009-02-25|mod_jk to send DECLINED in case no fail-over tomca| |47327|New|Enh|2009-06-07|Return tomcat authenticated user back to mod_jk (A| |47750|New|Maj|2009-08-27|ISAPI: Loss of worker settings when changing via j| |48830|New|Nor|2010-03-01|IIS shutdown blocked in endpoint service when serv| |49822|New|Enh|2010-08-25|Add hash lb worker method | |49903|New|Enh|2010-09-09|Make workers file reloadable | |52483|New|Enh|2012-01-18|Print JkOptions's options in log file and jkstatus| |54621|New|Enh|2013-02-28|[PATCH] custom mod_jk availability checks | |56489|New|Enh|2014-05-05|Include a directory for configuration files | |56576|New|Enh|2014-05-29|Websocket support | |57402|New|Enh|2014-12-30|Provide correlation ID between mod_jk log and acce| |57403|New|Enh|2014-12-30|Persist configuration changes made via status work| |57407|New|Enh|2014-12-31|Make session_cookie, session_path and session_cook| |57790|New|Enh|2015-04-03|Check worker names for typos | |61476|New|Enh|2017-09-01|Allow reset of an individual worker stat value| |61621|New|Enh|2017-10-15|Content-Type is forced to lowercase when it goes t| |62093|New|Enh|2018-02-09|Allow use_server_errors to apply to specific statu| |63808|Inf|Enh|2019-10-05|the fact that JkMount makes other directives ineff| |64775|Inf|Nor|2020-09-28|mod_jk is sending both Content-Length and Transfer| |65488|Inf|Nor|2021-08-08|Destroy method is not being called during Failover| |65901|New|Nor|2022-02-20|HTTP 401 response for a HEAD request violates HTTP| |66005|New|Nor|2022-04-11|Apache crashes, if there is a tomcat server, which| +-+---+---+--+--+ | Total 22 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 8 [2023/01/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |55243|New|Enh|2013-07-11|Add special search string for nested roles| |55470|New|Enh|2013-08-23|Help users for ClassNotFoundExceptions during star| |55477|New|Enh|2013-08-23|Add a solution to map a realm name to a security r| |55675|New|Enh|2013-10-18|Checking and handling invalid configuration option| |55788|New|Enh|2013-11-16|TagPlugins should key on tag QName rather than imp| |56148|New|Enh|2014-02-17|support (multiple) ocsp stapling | |56166|New|Enh|2014-02-20|Suggestions for exception handling (avoid potentia| |56300|New|Enh|2014-03-22|[Tribes] No useful examples, lack of documentation| |56398|New|Enh|2014-04-11|Support Arquillian-based unit testing | |56402|New|Enh|2014-04-11|Add support for HTTP Upgrade to AJP components| |56438|New|Enh|2014-04-21|If jar scan does not find context config or TLD co| |56546|New|Enh|2014-05-19|Improve thread trace logging in WebappClassLoader.| |56614|New|Enh|2014-06-12|Add a switch to ignore annotations detection on ta| |56713|New|Enh|2014-07-12|Limit time that incoming request waits while webap| |56787|New|Enh|2014-07-29|Simplified jndi name parsing | |57130|New|Enh|2014-10-22|Allow digest.sh to accept password from a file or | |57367|New|Enh|2014-12-18|If JAR scan experiences a stack overflow, give the| |57421|New|Enh|2015-01-07|Farming default directories | |57486|New|Enh|2015-01-23|Improve reuse of ProtectedFunctionMapper instances| |57701|New|Enh|2015-03-13|Implement "[Redeploy]" button for a web applicatio| |57827|New|Enh|2015-04-17|Enable adding/removing of members via jmx in a sta| |57830|New|Enh|2015-04-18|Add support for ProxyProtocol | |57872|New|Enh|2015-04-29|Do not auto-switch session cookie to version=1 due| |58052|Opn|Enh|2015-06-19|RewriteValve: Implement additional RewriteRule dir| |58072|New|Enh|2015-06-23|ECDH curve selection | |58935|Opn|Enh|2016-01-29|Re-deploy from war without deleting context | |59232|New|Enh|2016-03-24|Make the context name of an app available via JNDI| |60849|New|Enh|2017-03-13|Tomcat NIO Connector not able to handle SSL renego| |61877|New|Enh|2017-12-08|use web.xml from CATALINA_HOME by default | |62214|New|Enh|2018-03-22|The "userSubtree=true" and "roleSubtree=true" in J| |63080|New|Enh|2019-01-16|Support rfc7239 Forwarded header | |63167|New|Enh|2019-02-12|Network Requirements To Resolve No Members Active | |63195|Inf|Enh|2019-02-21|Add easy way to test RemoteIpValve works properly | |65809|New|Enh|2022-01-19|Reduce memory footprint for long-lasting WebSocket| |65995|Inf|Nor|2022-04-06|Change JavaScript MIME type from application/javas| +-+---+---+--+--+ | Total 35 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Native [2023/01/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |62911|New|Enh|2018-11-15|Add support for proxying ocsp requests via ProxyH| |64826|New|Maj|2020-10-19|libtcnative prompts for private key password in so| |64862|New|Enh|2020-10-30|Improve LibreSSL support | |65344|New|Enh|2021-05-31|OpenSSL configuration | +-+---+---+--+--+ | Total4 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Modules [2023/01/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |50571|Inf|Nor|2011-01-11|Tomcat 7 JDBC connection pool exception enhancemen| |51595|Inf|Nor|2011-08-01|org.apache.tomcat.jdbc.pool.jmx.ConnectionPool sho| |51879|Inf|Enh|2011-09-22|Improve access to Native Connection Methods | |52024|Inf|Enh|2011-10-13|Custom interceptor to support automatic failover o| |53199|Inf|Enh|2012-05-07|Refactor ConnectionPool to use ScheduledExecutorSe| |54437|New|Enh|2013-01-16|Update PoolProperties javadoc for ConnectState int| |54929|Inf|Nor|2013-05-05|jdbc-pool cannot be used with Java 1.5, "java.lang| |55078|New|Nor|2013-06-07|Configuring a DataSource Resource with dataSourceJ| |55662|New|Enh|2013-10-17|Add a way to set an instance of java.sql.Driver di| |56046|New|Enh|2014-01-21|org.apache.tomcat.jdbc.pool.XADataSource InitSQL p| |56088|New|Maj|2014-01-29|AbstractQueryReport$StatementProxy throws exceptio| |56310|Inf|Maj|2014-03-25|PooledConnection and XAConnection not handled corr| |56586|New|Nor|2014-06-02|initSQL should be committed if defaultAutoCommit =| |56775|New|Nor|2014-07-28|PoolCleanerTime schedule issue| |56779|New|Nor|2014-07-28|Allow multiple connection initialization statement| |56790|New|Nor|2014-07-29|Resizing pool.maxActive to a higher value at runti| |56798|New|Nor|2014-07-31|Idle eviction strategy could perform better (and i| |56804|New|Nor|2014-08-02|Use a default validationQueryTimeout other than "f| |56805|New|Nor|2014-08-02|datasource.getConnection() may be unnecessarily bl| |56837|New|Nor|2014-08-11|if validationQuery have error with timeBetweenEvic| |56970|New|Nor|2014-09-11|MaxActive vs. MaxTotal for commons-dbcp and tomcat| |57460|New|Nor|2015-01-19|[DB2]Connection broken after few hours but not rem| |57729|New|Enh|2015-03-20|Add QueryExecutionReportInterceptor to log query e| |58489|Opn|Maj|2015-10-08|QueryStatsComparator throws IllegalArgumentExcepti| |59077|New|Nor|2016-02-26|DataSourceFactory creates a neutered data source | |59569|New|Nor|2016-05-18|isWrapperFor/unwrap implementations incorrect | |59879|New|Nor|2016-07-18|StatementCache interceptor returns ResultSet objec| |60195|New|Nor|2016-10-02|No javadoc in Maven Central | |60522|New|Nor|2016-12-27|An option for setting if the transaction should be| |60524|Inf|Nor|2016-12-28|NPE in SlowQueryReport in tomcat-jdbc-7.0.68 | |60645|New|Nor|2017-01-25|StatementFinalizer is not thread-safe | |61032|New|Nor|2017-04-24|min pool size is not being respected | |61103|New|Nor|2017-05-18|StatementCache potentially caching non-functional | |61302|New|Enh|2017-07-15|Refactoring of DataSourceProxy| |61303|New|Enh|2017-07-15|Refactoring of ConnectionPool | |62432|New|Nor|2018-06-06|Memory Leak in Statement Finalizer? | |62598|New|Enh|2018-08-04|support pool with multiple JDBC data sources | |62910|Inf|Nor|2018-11-15|tomcat-jdbc global pool transaction problem | |63612|Inf|Cri|2019-07-26|PooledConnection#connectUsingDriver, Thread.curren| |63705|New|Nor|2019-08-29|The tomcat pool doesn't register all connection th| |64083|New|Nor|2020-01-17|JDBC pool keeps closed connection as available| |64107|New|Maj|2020-01-30|PreparedStatements correctly closed are not return| |64231|New|Nor|2020-03-16|Tomcat jdbc pool behaviour| |64570|New|Nor|2020-07-01|Transaction not rollbacked if autocommit is false | |64809|New|Nor|2020-10-13|Connection properties not reset to defaults when C| |65347|New|Nor|2021-06-02|The equals method from statements generated by the| |65929|New|Nor|2022-03-03|Connection is not released on Connection.abort() c| +-+---+---+--+--+ | Total 47 bugs | +---+ - To unsubscribe
Bug report for Taglibs [2023/01/22]
+---+
| Bugzilla Bug ID |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) |
| | +-+
| | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major |
| | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial |
| | | +-+
| | | | Date Posted |
| | | | +--+
| | | | | Description |
| | | | | |
|38193|Ass|Enh|2006-01-09|[RDC] BuiltIn Grammar support for Field |
|38600|Ass|Enh|2006-02-10|[RDC] Enable RDCs to be used in X+V markup (X+RDC)|
|42413|New|Enh|2007-05-14|[PATCH] Log Taglib enhancements |
|46052|New|Nor|2008-10-21|SetLocaleSupport is slow to initialize when many l|
|48333|New|Enh|2009-12-02|TLD generator |
|57548|New|Min|2015-02-08|Auto-generate the value for org.apache.taglibs.sta|
|57684|New|Min|2015-03-10|Version info should be taken from project version |
|59359|New|Enh|2016-04-20|(Task) Extend validity period for signing KEY - be|
|59668|New|Nor|2016-06-06|x:forEach retains the incorrect scope when used in|
|61875|New|Nor|2017-12-08|Investigate whether Xalan can be removed |
|64649|New|Nor|2020-08-06|XSLT transformation - document('') doesn't return |
|65491|New|Nor|2021-08-09|Behavior differences with c:import when flushing o|
+-+---+---+--+--+
| Total 12 bugs |
+---+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
