httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: arrrrgh!
Date Fri, 02 Aug 1996 16:38:11 GMT
Alexei Kosut wrote:
> 
> On Fri, 2 Aug 1996, Ben Laurie wrote:
> 
> [...]
> 
> > Isn't this exactly what the BrowserMatch stuff is for? (Or whatever it was
> > called).
> 
> Sorta. It doesn't strike me as the most elegant solution, though.  Several
> reasons, but especially necause the Host: header is a header that actually
> modifies the request. Connection:, which was the Netscape problem, has not
> relevance on the actual request; it just modifies how the data is
> transfered.
> 
> What I'm getting at is that if we modify all the entities based on
> the User-Agent string, and allow caching of them (unless you wanted to
> deny caching of *all* documents the server sent...), then proxy servers
> can really screw up the whole concoction.

Hmmm ... not sure. How does the Host: header mesh with proxies? Like, do
proxies pass it on unmodified, or generate their own?

> 
> It seems a better idea, then, to either change the semantics of how Apache
> handles the Host: header, even though it's not as per spec (*sigh*...
> Roy?), or get MSIE to change.

I don't see that we can change the handling unless we change the spec, too...
on the other hand, come to think of it, it would be a very strange browser
that connected on a port other than 80 and the expected the server to
(virtually) connect it to port 80 because it had send a Host: saying so.

BTW, the more I think about these virtual port connections the less I like
them. If a browser wants to connect on port 1234 instead of 80 it would surely
do a connect directly to 1234 and not connect to 80 then send a Host: header?

So, it seems to me that the facility is only useful for crackers who wish to
bypass firewall port filtering...

> 
> Which might be possible; it's still in beta, no? I know MSIE claims to
> like standards... Hmm. I filled out a bug report, and sent it in. We'll
> see.

If we disallowed port changes then the MSIE behaviour would be rejected on all
ports other than 80... that might get their attention...

Cheers,

Ben.

> 
> -- Alexei Kosut <akosut@organic.com>            The Apache HTTP Server 
>    http://www.nueva.pvt.k12.ca.us/~akosut/      http://www.apache.org/
> 
> 

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.            Apache Group member (http://www.apache.org)

Mime
View raw message