httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: HTTP/1.1 strict ruleset
Date Thu, 11 Aug 2016 20:24:13 GMT
On Aug 11, 2016 15:09, "Eric Covener" <covener@gmail.com> wrote:
>
> On Thu, Aug 11, 2016 at 4:04 PM, Jim Jagielski <jim@jagunet.com> wrote:
> >>  It seems that the two need some potentially different
> >> rulesets. If you are running a forward proxy, you would want to be
quite
> >> strict about the responses. If you are only a gateway of trusted
backend
> >> servers and apps, you might want to be more tolerant (although Roy and
> >> Jim may disagree with me on this.)
>
> Devils advocate: Trusted backend + spectre of xss could put you right
> back in strict mindset.

Pardon the language, but absofuckinglutely!

The idea of these potential overrides is to restore a server which is a
gateway to a critical, but horridly coded backend, to gey it running again
for a time.

It is not a perpetual means to avoiding the responsibility to fix the
broken backend. It isn't an excuse to avoid writing proper backends. This
is the gist of Luca's and my small disagreement over last-modified handling.

I was thinking over lunch that perhaps we *should* backport the entire
removal of the legacy parser in a later 2.4 or final 2.2 release. Not
necessarily at this next T&R, but soon, later on down the line, after we
have offered months for admins to push their dev teams to get the issues
sorted.

Mime
View raw message