RFR: 8354276: Strict HTTP header validation
Daniel Jeliński
djelinski at openjdk.org
Thu Apr 10 11:44:05 UTC 2025
RFC 9113 HTTP/2 mandates certain validation for HTTP headers; the HttpClient don't fully implement the described requirements.
This PR adds the following validation:
- pseudo-headers defined for requests are rejected in responses and push streams
- pseudo-headers defined for responses are rejected in push promises
- connection headers are rejected in responses and push streams
Connection headers are still accepted in push promises; that's because some popular server implementations were found to echo the request headers in push promises, and when the original request was a HTTP/1 upgrade, the push promise could contain one or more headers that were prohibited in HTTP/2 but allowed in HTTP/1.
An existing test was adapted to verify the handling of response headers. The modified test passes with this the changes in this PR, fails without them. Other tier1-3 tests continue to pass.
-------------
Commit messages:
- Fix whitespace problems
- Do not catch assertion errors
- More strict header validation
Changes: https://git.openjdk.org/jdk/pull/24569/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=24569&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8354276
Stats: 70 lines in 5 files changed: 55 ins; 1 del; 14 mod
Patch: https://git.openjdk.org/jdk/pull/24569.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/24569/head:pull/24569
PR: https://git.openjdk.org/jdk/pull/24569
More information about the net-dev
mailing list