Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4D5081813A for ; Sat, 12 Dec 2015 00:00:03 +0000 (UTC) Received: (qmail 27301 invoked by uid 500); 12 Dec 2015 00:00:02 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 27229 invoked by uid 500); 12 Dec 2015 00:00:02 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 27219 invoked by uid 99); 12 Dec 2015 00:00:02 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 12 Dec 2015 00:00:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 35DADC4FD6 for ; Sat, 12 Dec 2015 00:00:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.102 X-Spam-Level: X-Spam-Status: No, score=-0.102 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 3q9RgGRGkv1E for ; Sat, 12 Dec 2015 00:00:01 +0000 (UTC) Received: from mail-qg0-f47.google.com (mail-qg0-f47.google.com [209.85.192.47]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id AAD5524D8E for ; Sat, 12 Dec 2015 00:00:00 +0000 (UTC) Received: by qgz52 with SMTP id 52so22459787qgz.1 for ; Fri, 11 Dec 2015 15:59:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=9J8HBU3Z0BGgWKyY3mh1W3jsa9o/Wfnwdc55sfI9pdw=; b=gd09EDb5r2xH2LOOivmS0xfAW9Ju4+ruMcrxn1lCBkQZYzMq6V8qNX1bMoJwxMrlHH uN5itOCxI3qX0LjSRmNOaGeBFrooYc+P0omDUqZk2zegaB6CqW3hCTMaqOKx0wVGx7PK d3aRH0WSEK4QPPOtFkZP1rVHkEAmGSegsA1Jq0C19YbgVFvg8+33fZXTNxWT0ALSe6+s 5wguFmpM8DqCoU+lbyVokhqgvTRdE0FMrXmbjmaR9gPJHS07hvZJGYovr2HyprVuA+tc 1dFgBDTKkxVhkOFVDPkj2v0AOwWurUYURfZEMRxMt3hCsx/rIEN9DhhkoRI0GYdHm2aA 8R7A== MIME-Version: 1.0 X-Received: by 10.140.89.201 with SMTP id v67mr27991889qgd.38.1449878394401; Fri, 11 Dec 2015 15:59:54 -0800 (PST) Received: by 10.55.65.85 with HTTP; Fri, 11 Dec 2015 15:59:54 -0800 (PST) In-Reply-To: References: <13FE9E7F-9620-4BF9-8EA4-57A6314D66BF@greenbytes.de> <9CCEFD7E-9ED3-4ED1-8F58-2134DD5310F9@gbiv.com> <566887B5.2080705@gmail.com> <5668CC4F.109@gmail.com> <5668EFDB.1050900@gmail.com> <482349A8-86D1-42EF-A436-C907BDF9DF7D@greenbytes.de> <566B2071.4080108@gmail.com> <566B383D.9010306@gmail.com> <566B5293.2080803@gmail.com> Date: Sat, 12 Dec 2015 00:59:54 +0100 Message-ID: Subject: Re: Upgrade Summary From: Yann Ylavic To: httpd-dev Content-Type: text/plain; charset=UTF-8 On Sat, Dec 12, 2015 at 12:41 AM, Yann Ylavic wrote: > Hi Jacob, > > On Fri, Dec 11, 2015 at 11:47 PM, Jacob Champion wrote: >> >> This is where we disagree, for the case of WebSocket and WebSocket alone. >> RFC 6455 4.2.1: >> >> The client's opening handshake consists of the following parts. If >> the server, while reading the handshake, finds that the client did >> not send a handshake that matches the description below (note that as >> per [RFC2616], the order of the header fields is not important), >> including but not limited to any violations of the ABNF grammar >> specified for the components of the handshake, the server MUST stop >> processing the client's handshake and return an HTTP response with an >> appropriate error code (such as 400 Bad Request). > > I guess the RFC is talking about a Websocket server that also > implements HTTP/1 for Websocket purpose only. > In httpd, the protocol parsing is done by the core http module before > any websocket module is called, so there can't (at least shouldn't) be > an invalid HTTP/1 grammar at that level (post_read_request[_header]), > HTTP/1 failures ought to be handled by the core (http module), > including ill/invalid body transfer encoding/length. > So the error could be an unacceptable handshake for the websocket > module, which should then let httpd handle the HTTP/1 request > (ignoring the handshake and probably websocket headers too). Please note that httpd's default (HTTP/1) handler can always catch "http/1" not in Protocols and return "505 Not Supported" if the request reaches it. The administrator configures acceptable protocols, and httpd gives each one's module a chance, defaulting to HTTP/1 (or 505) if none accepts the handshake.