On Wed, Dec 7, 2016 at 2:23 PM, Jacob Champion <champio...@gmail.com> wrote:

> On 12/07/2016 12:03 PM, William A Rowe Jr wrote:
>
>> On Wed, Dec 7, 2016 at 10:50 AM, Jacob Champion <champio...@gmail.com
>> <mailto:champio...@gmail.com>> wrote:
>>
>>     What's your end goal? I don't think we can *prohibit* modules from
>>     sending extra headers in 100 responses, but it does make sense to
>>     limit what we send by default, especially if we're currently sending
>>     Content-Length (which IIUC is meaningless in that context).
>>
>> When we send 100 CONTINUE from the http_filters.c core read
>> filter, we send no headers. Simple.
>>
>
> 1) Are 1xx responses handled by the http_filters code? I was under the
> impression that they were not.
>

that code generates 100 CONTINUE responses, yes. Although not
for mod_proxy_http in RFC mode, that case is a pass through of
the various 1xx responses, except for 100 if it is not expected still.



> 2) This is allowed by the spec, I guess, but it seems punitively strict to
> me. Some deployments might be using something interesting in the headers,
> perhaps a precursor to the upcoming 103?


>From a mod_proxy perspective, other 1xx's could be sent with the
headers that accompanied them, but what headers of value can
httpd add? None, IMO. mod_proxy_http should read the headers
from 1XX interims into an empty headers array and send them on
using ap_send_interim_response without extra processing, until
we finally arrive at a final status which httpd should decorate using
whatever happened to the headers_out array during pre-processing,
including mod_headers activity.


> I'm looking at ap_send_interim_response and am somewhat confused
>> by core_upgrade handler, which I'll get to in a moment.
>>
>> h2_h2.c check_push() applies only to HTTP/2, and notably does
>> not clear headers_out before adding the Link header and pushing
>> out a 103 response, but I'm not going to dig much further at this
>> exact moment.
>>
>
> Well, in that case the entire point of 103 is to send headers. That is, if
> I'm understanding the spec correctly; Stefan, can you confirm?


102 PROCESSING is defined here, per the registry,
https://tools.ietf.org/html/rfc2518#page-59
It doesn't seem to call for additional headers (concieveable one would
want to add X-Delay: sec or something).

103 is not defined here;
http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml

In fact there doesn't seem to be any canonical definition. HTTP/1.1
should surely reject such, HTTP/2, ENOCLUE (but mod_proxy_http2
should not let it dribble back into HTTP/1.1 requests).


> mod_proxy_http shoves all existing Set-Cookie headers into the
>> interim response (e.g. those added by other modules), and it doesn't
>> appear that these headers are cleared after a 100 continue response.
>> The Via response is added, hop by hop headers are cleared, and
>> a whole bunch of other inappropriate processing is going on there.
>> That module looks the most problematic, send_interim_response
>> was not very well thought out and includes much internal httpd
>> decoration that is only appropriate for the final response.
>>
>> core_upgrade_handler (in server/core.c) *does* clear headers_out
>> before adding the two necessary Upgrade and Connection headers,
>> so in this context we are good. But it handles 101 UPGRADE
>> interim responses without first testing that expecting-100 was
>> satisfied, per spec. There appears to be no way to process more
>> than one upgrade (and we know from spec, that multiple upgrades
>> may be necessary; crypto vs framing, for example).
>>
>
> Expect: 100-continue doesn't have anything to do with 101 Upgrade... and
> more than one upgrade doesn't make sense IMO, as the HTTP protocol is
> replaced wholesale. I think a couple of protocol pieces are being confused
> here.


Uhm, they can be combined and the spec is clear on how must happen.

Reply via email to