rschmitt commented on PR #707: URL: https://github.com/apache/httpcomponents-client/pull/707#issuecomment-3193940899
> The page https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/103 suggests `103` should only be for HTTP/2 or later. And rightly so. HTTP/1.1's framing is inherently unreliable and they're still finding [desync attacks](https://portswigger.net/research/http1-must-die) in the wild. Additionally, this type of scheme works best with async IO, so that the `103` response can be handled as soon as it comes in, and only HTTP/2 is reliably implemented with async IO (since it's a multiplexed protocol). I also find it strange that this RFC provides no way for the client to signal its support for this feature, analogous to `Expect: 100-continue`. Who the hell would just turn this feature on in production for all clients? I agree that the client should at least _tolerate_ `103` responses, but I don't have a strong opinion about how to expose them. The dedicated callback in the PR seems reasonable. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
