| rfc9931v2.txt | rfc9931.txt | |||
|---|---|---|---|---|
| skipping to change at line 419 ¶ | skipping to change at line 419 ¶ | |||
| behaviors are vulnerable to a trivial Request Smuggling attack | behaviors are vulnerable to a trivial Request Smuggling attack | |||
| ([HTTP/1.1], Section 11.2). | ([HTTP/1.1], Section 11.2). | |||
| At the time of writing, some proxy clients are believed to be | At the time of writing, some proxy clients are believed to be | |||
| vulnerable as described. As a mitigation, proxy servers MUST close | vulnerable as described. As a mitigation, proxy servers MUST close | |||
| the underlying connection when rejecting a CONNECT request without | the underlying connection when rejecting a CONNECT request without | |||
| processing any further requests on that connection. This requirement | processing any further requests on that connection. This requirement | |||
| applies whether or not the request includes a "close" connection | applies whether or not the request includes a "close" connection | |||
| option. | option. | |||
| Note that this mitigation will frequently impair the performance of | Note that this mitigation will frequently cause slower connection | |||
| correctly implemented clients, especially when returning a 407 (Proxy | establishment for correctly implemented clients, especially when | |||
| Authentication Required) response. This performance loss can be | returning a 407 (Proxy Authentication Required) response. This | |||
| avoided by using HTTP/2 or HTTP/3, which are not vulnerable to this | performance loss can be avoided by using HTTP/2 or HTTP/3, which are | |||
| attack. | not vulnerable to this attack. | |||
| As a performance optimization, proxy servers MAY disable this | As a performance optimization, proxy servers MAY disable this | |||
| mitigation if the client is known to wait for a 2xx (Successful) | mitigation if the client is known to wait for a 2xx (Successful) | |||
| response before forwarding untrusted TCP payload data (i.e., | response before forwarding untrusted TCP payload data (i.e., | |||
| complying with item 1 above). Proxy servers can identify compliant | complying with item 1 above). Proxy servers can identify compliant | |||
| clients using the request's User-Agent header field and the user | clients using the request's User-Agent header field and the user | |||
| agent vendor's documentation regarding its compliance. | agent vendor's documentation regarding its compliance. | |||
| 9. Security Considerations | 9. Security Considerations | |||
| End of changes. 1 change blocks. | ||||
| 5 lines changed or deleted | 5 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||