RFR: 8354276: Strict HTTP header validation [v5]
Daniel Fuchs
dfuchs at openjdk.org
Tue Apr 29 13:35:52 UTC 2025
On Tue, 29 Apr 2025 09:49:42 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
>> RFC 9113 HTTP/2 mandates certain validation for HTTP headers; the HttpClient don't fully implement the described requirements.
>>
>> This PR adds the following validation:
>> - pseudo-headers defined for requests are rejected in responses and push streams
>> - pseudo-headers defined for responses are rejected in push promises
>> - connection headers are rejected in responses and push streams
>>
>> Connection headers are still accepted in push promises; that's because some popular server implementations were found to echo the request headers in push promises, and when the original request was a HTTP/1 upgrade, the push promise could contain one or more headers that were prohibited in HTTP/2 but allowed in HTTP/1.
>>
>> An existing test was adapted to verify the handling of response headers. The modified test passes with this the changes in this PR, fails without them. Other tier1-3 tests continue to pass.
>
> Daniel Jeliński has updated the pull request incrementally with five additional commits since the last revision:
>
> - Add test for malformed push promise headers
> - Fix orphaned header consumer
> - Make HeaderDecoder constructor take a context parameter
> - Require ValidatingHeadersConsumer.context != null
> - Move test summary next to test bug number
test/jdk/java/net/httpclient/http2/BadPushPromiseTest.java line 77:
> 75: static final String MAIN_RESPONSE_BODY = "the main response body";
> 76:
> 77: Http2TestServer server;
Can we use HttpServerAdapters and HttpTestServer here please? It will make it easier to create an equivalent test for HTTP/3.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24569#discussion_r2066439563
More information about the net-dev
mailing list