RFR: 8354276: Strict HTTP header validation
Volkan Yazici
vyazici at openjdk.org
Thu Apr 10 12:44:37 UTC 2025
On Thu, 10 Apr 2025 11:37:23 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
> RFC 9113 HTTP/2 mandates certain validation for HTTP headers; the HttpClient don't fully implement the described requirements.
>
> This PR adds the following validation:
> - pseudo-headers defined for requests are rejected in responses and push streams
> - pseudo-headers defined for responses are rejected in push promises
> - connection headers are rejected in responses and push streams
>
> Connection headers are still accepted in push promises; that's because some popular server implementations were found to echo the request headers in push promises, and when the original request was a HTTP/1 upgrade, the push promise could contain one or more headers that were prohibited in HTTP/2 but allowed in HTTP/1.
>
> An existing test was adapted to verify the handling of response headers. The modified test passes with this the changes in this PR, fails without them. Other tier1-3 tests continue to pass.
test/jdk/java/net/httpclient/http2/BadHeadersTest.java line 30:
> 28: * @build jdk.httpclient.test.lib.http2.Http2TestServer jdk.test.lib.net.SimpleSSLContext
> 29: * @run testng/othervm -Djdk.internal.httpclient.debug=true BadHeadersTest
> 30: * @summary This test verifies the behaviour of the HttpClient when presented
Shall we update the `@bug` field too?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24569#discussion_r2037254709
More information about the net-dev
mailing list