On 06/17/2009 12:00 AM, Mark Nottingham wrote:
> [ moving to squid-dev ]
>
> From what I can see, the site is using JavaScript to do autocomplete on
> a search field. The autocomplete requests use POST, but without a body.
>
> With Firefox, this results in a POST request without a body; i.e., it
> doesn't have transfer-encoding *or* content-length.
>
> Such a POST request is legal (although atypical; Safari and I think
> others will include a Content-Length: 0 to signal no body explicitly).
> See
> <http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-06#section-4.3>.
>
>
> I think the right thing to do here is for Squid to only 411 when there's
> a transfer-encoding present; if there's no content-length, it's safe to
> assume 0 length.
Would the "assume 0 length" approach make request smuggling attacks
easier? Perhaps we should add Content-Length: 0 to the request then?
Alex.
Received on Fri Jun 26 2009 - 16:49:34 MDT
This archive was generated by hypermail 2.2.0 : Fri Jun 26 2009 - 12:00:05 MDT